Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS impact requires victim page visit (UI:R); Contributor access mandatory (PR:L); scope changes to victim browser (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at least Contributor-level privileges on the target site - anonymous, unauthenticated attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects the network attack vector, low complexity, and scope change - but the low-privilege requirement (PR:L, Contributor role) is the primary limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a Contributor-level WordPress account - obtained through open registration, social engineering, or credential compromise - edits or creates a post containing the Slideshow Gallery shortcode with a crafted JavaScript payload embedded in the 'alwaysauto' attribute. The malicious post is published or submitted for review; when any authenticated user (including an administrator) subsequently views the page, the injected script executes in their browser, potentially stealing the session cookie and granting the attacker full administrative control of the WordPress site. … |
| Remediation | A fix has been committed upstream in Trac changeset 3567787 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3567787%40slideshow-gallery&new=3567787%40slideshow-gallery); however, the specific released patched version number has not been independently confirmed from the available input data - site owners should update to the latest available version of Slideshow Gallery LITE from the WordPress plugin repository and verify the installed version is newer than 1.8.5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37868
GHSA-5qqr-q6rw-943w