Skip to main content

Slideshow Gallery Lite

1 CVEs product

Monthly

CVE-2026-2021 MEDIUM This Month

Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Slideshow Gallery Lite
NVD
CVSS 3.1
6.4
EPSS
0.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Slideshow Gallery Lite
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy