WWordPress Vulnerability Database

Hong Kong NGO Alert XSS WordPress Slideshow(CVE20261885)

Cross Site Scripting (XSS) in WordPress Slideshow Wp Plugin
0
Shares
0
0
0
0





CVE-2026-1885: Authenticated Contributor Stored XSS in Slideshow Wp (<= 1.1) — What WordPress Site Owners Need to Know



Plugin Name Slideshow Wp
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-1885
Urgency Low
CVE Publish Date 2026-02-12
Source URL CVE-2026-1885

CVE-2026-1885: Authenticated Contributor Stored XSS in Slideshow Wp (<= 1.1) — What WordPress Site Owners Need to Know

Published: 2026-02-12 · Author: Hong Kong Security Expert · Tags: WordPress, XSS, CVE-2026-1885, WAF, plugin security

TL;DR — A stored cross-site scripting (XSS) vulnerability (CVE-2026-1885) was disclosed in the Slideshow Wp WordPress plugin (versions <= 1.1). An authenticated user with Contributor privileges can inject a malicious payload via the shortcode attribute sswpid in the sswp-slide shortcode. The payload is stored and later rendered to site visitors, potentially enabling session theft, content manipulation, or other client-side attacks. If you run this plugin and cannot immediately update or remove it, apply the mitigations and WAF rules in this guide to reduce risk.

Executive summary

On 10 Feb 2026 a stored XSS vulnerability affecting Slideshow Wp (<= 1.1) was publicly documented (CVE-2026-1885). The root cause is insufficient sanitization and/or escaping of the sswpid attribute on the plugin’s sswp-slide shortcode, allowing an authenticated contributor (or higher) to persist HTML/JavaScript that executes when the slideshow is rendered.

  • Vulnerability: Stored Cross-Site Scripting (XSS)
  • Plugin: Slideshow Wp (slug: slideshow-wp)
  • Affected versions: ≤ 1.1
  • CVE: CVE-2026-1885
  • Required privilege: Contributor (authenticated)
  • CVSS (reported): 6.5 (Medium)
  • Reported by: Muhammad Yudha – DJ

This analysis explains why the issue matters, exploitation scenarios, detection steps, immediate mitigations (including WAF/virtual-patch suggestions), developer fixes, and incident response advice from the perspective of a Hong Kong security practitioner.

Why this vulnerability matters

Stored XSS is particularly dangerous because the attacker persists a payload that executes in the browsers of visitors who view the affected page. This vulnerability is significant for several reasons:

  • Contributor access is common on multi-author sites and community blogs. Contributors can create/edit content that may be published or previewed by editors, which can expose privileged users to injected payloads.
  • The sswpid attribute is intended as an identifier. If it is not validated (for example forced to an integer) and not escaped on output, it becomes an injection point.
  • Stored XSS can be used to steal cookies, exfiltrate data, deface content, display phishing forms, or perform client-side actions in the context of higher-privilege users who view the content.

Even if classed as low/medium on some scoring systems, stored XSS must be treated seriously because impact is environment-dependent (site configuration, user roles, CSP, monitoring).

Technical description (what happened)

  • The plugin registers a shortcode named sswp-slide. One attribute is sswpid, likely used as an identifier.
  • When content containing the shortcode is saved, the value of sswpid is stored without sufficient input sanitization.
  • On rendering, the plugin outputs the attribute value into the HTML without proper escaping for attribute or HTML context.
  • Because user-supplied characters are not neutralized, a contributor can supply markup or scripts that execute when the page is rendered — a classic stored XSS.

Typical insecure patterns include echoing raw attribute values (e.g., echo $atts['sswpid'];), failing to validate types (not enforcing integer IDs), and not using escaping functions such as esc_attr() or esc_html().

Exploitation scenarios

  1. Contributor account abuse:
    An attacker with a Contributor account inserts a shortcode like:

    [sswp-slide sswpid="1">]

    When visitors load the post, the script executes.

  2. Social engineering to target editors/admins:
    A contributor submits content for review containing the malicious shortcode; an editor/admin previewing or publishing the content may execute the payload, enabling escalation chains.
  3. Mass distribution:
    If placed on a homepage or popular page, the payload affects many visitors.

How to detect whether your site is affected

  1. Check plugin version: WordPress admin → Plugins and confirm Slideshow Wp version. Treat ≤ 1.1 as potentially vulnerable.
  2. Search content for the shortcode: In the database, search wp_posts.post_content for occurrences of sswp-slide or sswpid. 
    SELECT ID, post_title, post_type
FROM wp_posts
WHERE post_content LIKE '%[sswp-slide%'
LIMIT 100;
  3. Inspect attribute values: Look for sswpid values containing characters outside the expected numeric pattern, such as <, >, script, javascript:, percent-encodings like %3C, or event handlers like onerror=.
  4. Scan rendered output: Visit pages that include slides and view page source for unescaped