Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS in a WordPress plugin typically requires at least an affiliate/subscriber account to submit content (PR:L), needs a victim to load the page (UI:R), changes scope to the browser (S:C), and has no direct availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS.
This issue affects SliceWP: from n/a through 1.2.6.
AnalysisAI
Stored cross-site scripting in the SliceWP WordPress affiliate-marketing plugin (all versions up to and including 1.2.6) lets remote attackers persist malicious JavaScript that executes in the browsers of users who later view the affected page. Patchstack-reported issue with no public exploit identified at time of analysis; CVSS 7.1 reflects the scope-changing impact when an admin or another user is lured into rendering the injected payload. Affects WordPress sites running the iova.Mihai SliceWP plugin in default configurations exposed to attacker-supplied input.
Technical ContextAI
SliceWP is a WordPress plugin by iova.Mihai (CPE cpe:2.3:a:iova.mihai:slicewp) that adds affiliate-program functionality (registration, referral tracking, commissions) to WordPress sites. The root cause is CWE-79, Improper Neutralization of Input During Web Page Generation, meaning one or more plugin code paths render attacker-controlled values into HTML without proper output encoding or input sanitization. Because the XSS is stored, the malicious payload is persisted server-side (in the WordPress database) and re-rendered to every subsequent viewer of the affected page, rather than requiring a crafted link as with reflected XSS.
RemediationAI
No vendor-released patch version is identified in the supplied intelligence; the Patchstack advisory only documents the vulnerable range as 'n/a through 1.2.6', so administrators should monitor the SliceWP plugin page on wordpress.org and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/slicewp/vulnerability/wordpress-slicewp-plugin-1-2-6-cross-site-scripting-xss-vulnerability) for a release newer than 1.2.6 and upgrade as soon as it is published. Until then, mitigate by deploying a WordPress WAF rule (Patchstack, Wordfence) that virtually patches this CVE, restricting which roles can submit content to the SliceWP affiliate forms/settings, and temporarily deactivating the SliceWP plugin if the affiliate program is non-essential - deactivation will disable affiliate signup and referral tracking. A site-wide Content Security Policy that forbids inline script can blunt payload execution but typically breaks WordPress admin UI and many other plugins, so test before rolling out.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36361
GHSA-36wv-jqc8-m47v