Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through <= 2.7.1.
AnalysisAI
A Cross-site Scripting (XSS) vulnerability exists in the Ays Pro Image Slider WordPress plugin (versions up to and including 2.7.1) due to improper input neutralization during web page generation, combined with incorrectly configured access control security levels. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session tokens, redirecting users, or performing unauthorized actions on behalf of victims. No CVSS score, EPSS data, or active exploitation signals (KEV status) are currently available, but the vulnerability is confirmed by Patchstack and assigned EUVD-2026-15837.
Technical ContextAI
The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where user-supplied input is not properly sanitized or escaped before being rendered in HTML context. The affected product is the Ays Pro Image Slider plugin for WordPress (CPE: cpe:2.3:a:ays_pro:image_slider_by_ays), which generates dynamic web pages containing slider content. The root cause involves both insufficient input validation/output encoding AND weak access control mechanisms that allow attackers to inject malicious payloads (JavaScript, HTML) into pages viewed by other users. This is particularly critical in WordPress plugins because they have direct access to the database and page rendering pipeline.
RemediationAI
Immediately upgrade the Ays Pro Image Slider plugin to a version later than 2.7.1 (check the official WordPress plugin repository or vendor website for the latest patched release). Until a patch is available or deployed, implement input validation and output encoding at the application level by reviewing and restricting access to slider creation and configuration features to only trusted administrators, disable the plugin if not actively in use, and consider using a Web Application Firewall (WAF) to filter XSS payloads at the network edge. Additionally, regularly scan the WordPress installation for malicious scripts using security plugins (e.g., Wordfence, Sucuri) and audit user accounts for unauthorized modifications. For detailed guidance, refer to the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/ays-slider/vulnerability/wordpress-image-slider-by-ays-plugin-2-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve.
More in Image Slider By Ays
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15837
GHSA-68ph-vr74-q269