Skip to main content

Social Slider Feed CVE-2026-39507

| EUVDEUVD-2026-36949 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-gqg3-6xw2-phxp
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress plugin XSS, no auth needed (PR:N) but requires victim click (UI:R); injected script crosses into the WordPress origin (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:24 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.

Technical ContextAI

Social Slider Feed (originally distributed as the 'instagram-slider-widget' plugin per the Patchstack reference) is a WordPress plugin maintained by ThemeIsle that renders social-media slider widgets on WordPress pages. The CPE cpe:2.3:a:themeisle:social_slider_feed:*:*:*:*:*:*:*:* covers all versions through 2.3.2. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): user-controlled input is reflected or stored into HTML output without proper escaping/sanitization, letting an attacker inject script tags or HTML attributes that execute when rendered in another user's browser session within the WordPress site origin.

RemediationAI

Patch available per vendor advisory - upgrade the Social Slider Feed plugin to the latest version published on the WordPress.org plugin repository (the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/instagram-slider-widget/vulnerability/wordpress-social-slider-feed-plugin-2-3-2-cross-site-scripting-xss-vulnerability lists the fixed release; no exact fix version was provided in the supplied intelligence, so verify against the WordPress plugin changelog before deployment). If immediate patching is not possible, deactivate and remove the plugin (side effect: social slider widgets will disappear from the site), or place the site behind a WAF such as Patchstack/Wordfence with XSS rules enabled (side effect: may produce false positives on legitimate widget content). Additionally, enforce a strict Content-Security-Policy that disallows inline scripts to blunt reflected payloads (side effect: may break other plugins or themes that rely on inline JS).

Share

CVE-2026-39507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy