CVE-2026-8900 in Simple SEO Slideshow Plugin
Summary
by MITRE • 06/06/2026
The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The Simple SEO Slideshow plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 128. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode attribute handling functionality. The flaw specifically targets the plugin's inability to properly sanitize user-supplied input when processing shortcode attributes, creating a persistent security risk that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The vulnerability operates through a sophisticated attack vector where malicious payloads are injected into shortcode attributes and stored within the WordPress database, making them persistent across page loads and user sessions.
The technical exploitation of this vulnerability occurs when an authenticated user with contributor-level access or greater creates or modifies a post containing a malicious shortcode with crafted attribute values. During the post saving process, WordPress KSES (Keyboard Shortcuts and Security) filtering fails to adequately strip malicious shortcode attribute values, allowing the injection of potentially harmful script code. This bypass of security controls means that the malicious code becomes permanently embedded within the post content and executes whenever any user accesses the affected page, regardless of their privilege level. The vulnerability's persistence is particularly concerning because it leverages the plugin's legitimate functionality to deliver malicious payloads, making detection more challenging for security monitoring systems.
The operational impact of this vulnerability extends beyond simple script execution, creating a significant risk for WordPress administrators and site visitors. Any user with contributor-level access or higher can inject malicious scripts that will execute for all visitors, including administrators who may be reviewing posts containing the malicious content. This creates a potential attack surface where privileged users become compromised, as the injected scripts can perform actions such as stealing session cookies, redirecting users to malicious sites, or executing additional attacks against the WordPress installation. The vulnerability's potential for privilege escalation and data exfiltration makes it particularly dangerous in environments where multiple users have contributor or administrator access levels.
The vulnerability aligns with CWE-79 (Cross-Site Scripting) and follows patterns consistent with ATT&CK technique T1566 (Phishing with Social Engineering) and T1059 (Command and Scripting Interpreter). Organizations should implement immediate mitigations including plugin version updates to the latest secure release, implementing strict input validation for all user-supplied content, and conducting thorough security audits of all installed plugins. Additionally, administrators should consider implementing content security policies and monitoring for unusual shortcode usage patterns to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly in content management systems where user privileges can be leveraged to compromise entire installations through seemingly innocuous plugin functionality.