Social Slider Feed
Monthly
Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.
Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.