Description
Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of users viewing the slider on both administrative and frontend pages.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Slider by Soliloquy 2.6.2 allows an authenticated user to inject JavaScript into the slider title. The content is stored and later rendered on both the administrative dashboard and the public website. Attacker controlled scripts run in the context of the visitor’s browser, giving them access to session cookies, the ability to deface content or redirect to malicious sites. This is a classic stored XSS flaw that can compromise confidentiality, integrity, and availability of the site.

Affected Systems

The vulnerability affects the Soliloquy plugin for WordPress, specifically version 2.6.2. No other affected versions are listed in the public data. Systems running this version with authenticated user accounts are vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity, and the absence of an EPSS score suggests no public exploit evidence yet. The flaw is not listed in CISA’s KEV catalog, meaning it is not known to be actively exploited at this time. The victim must be logged in as an author or higher and must have access to create or edit sliders in order to exploit it; however once the payload is stored, any visitor who loads a page containing the slider will execute the payload. Thus the attack vector is authenticated input leading to stored code executed during page rendering.

Generated by OpenCVE AI on May 10, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Soliloquy plugin to the latest version (≥2.6.3) where the title field is properly sanitized.
  • Restrict permission to edit sliders to trusted user roles or remove the capability to add sliders entirely on the site.
  • Apply a generic input‑validation filter or content‑security‑policy to strip or escape script tags from stored slider titles if an upgrade is not immediately possible.

Generated by OpenCVE AI on May 10, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Soliloquywp
Soliloquywp slider By Soliloquy
Wordpress
Wordpress wordpress
Vendors & Products Soliloquywp
Soliloquywp slider By Soliloquy
Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of users viewing the slider on both administrative and frontend pages.
Title WordPress Plugin Slider by Soliloquy 2.6.2 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Soliloquywp Slider By Soliloquy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:45.278Z

Reserved: 2026-02-01T11:24:18.715Z

Link: CVE-2021-47922

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.033

Modified: 2026-05-10T13:16:28.033

Link: CVE-2021-47922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:39Z

Weaknesses