Description
The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Multi Post Carousel by Category plugin for WordPress contains a stored cross‑site scripting flaw tied to the "slides" shortcode attribute. Unsanitized input from that attribute is stored and later output without proper escaping, allowing an attacker who can edit content to inject arbitrary JavaScript that runs whenever a page using the shortcode is viewed by visitors. This can lead to session hijacking, defacement, or phishing attacks against any user who views the affected content.

Affected Systems

WordPress sites running the gbsdeveloper Multi Post Carousel by Category plugin, specifically all versions up to and including 1.4. Sites that have enabled the "slides" shortcode in posts or pages are vulnerable. An attacker does not need to compromise the site itself but only needs Contributor‑level or higher access to insert the malicious code.

Risk and Exploitability

The vulnerability scores a CVSS of 6.4, indicating medium‑to‑high severity. EPSS data is not available and it is not listed in CISA's KEV catalog, suggesting it is not a widely exploited vulnerability yet. Exploitation requires an authenticated user with permission to edit content using the shortcode. Once a malicious script is stored, it executes in the browser of any user who opens the affected page, without the need for additional attack steps.

Generated by OpenCVE AI on March 21, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Multi Post Carousel by Category plugin to a version newer than 1.4 if a release is available.
  • Restrict Contributor and other content‑editable roles from adding or editing posts that contain the "slides" shortcode; consider removing the shortcodes capability or using role‑management plugins to enforce this restriction.
  • If an update cannot be applied immediately, disable or remove the plugin entirely or deactivate the shortcode functionality to stop the vulnerability from being usable.

Generated by OpenCVE AI on March 21, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Gbsdeveloper
Gbsdeveloper multi Post Carousel By Category
Wordpress
Wordpress wordpress
Vendors & Products Gbsdeveloper
Gbsdeveloper multi Post Carousel By Category
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gbsdeveloper Multi Post Carousel By Category
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:26.184Z

Reserved: 2026-01-20T21:58:43.839Z

Link: CVE-2026-1275

cve-icon Vulnrichment

Updated: 2026-03-23T17:53:46.768Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:52.253

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-1275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:46Z

Weaknesses