Description
The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-14
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Real Post Slider Lite plugin allows administrators to modify settings that are stored in the database without proper sanitization or escaping. Because the plugin fails to filter or escape the data, a malicious administrator can embed JavaScript or other executable code that is rendered when a visitor loads any page that includes those settings. This is a stored cross‑site scripting flaw that can lead to session hijacking, data theft, or redirects to malicious sites for anyone who views the affected page.

Affected Systems

The flaw exists in all releases of Real Post Slider Lite prior to and including version 2.4, distributed by the vendor vk011. It only affects WordPress multisite installations where the unfiltered_html capability has been disabled, meaning that administrators are the only users able to perform the injection. Single‑site or non‑multisite setups are not impacted by this issue.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited known exploitation. However, because the flaw requires administrator access, an insider threat or compromised admin account can still exploit it, warranting timely remediation.

Generated by OpenCVE AI on April 15, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Real Post Slider Lite to the latest stable release that removes the vulnerability.
  • Remove any JavaScript or suspicious content from the plugin settings on all sites that use the vulnerable version.
  • Disable or restrict the ‘unfiltered_html’ capability on multisite installations until the plugin has been updated.
  • Consider implementing a Web Application Firewall to block malicious payloads.

Generated by OpenCVE AI on April 15, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Real Post Slider Lite <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:17.460Z

Reserved: 2026-01-07T17:53:52.483Z

Link: CVE-2026-0680

cve-icon Vulnrichment

Updated: 2026-01-14T15:44:51.565Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:55.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses