Description
The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-02-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS in a WordPress plugin that can be exploited by unauthenticated users to run arbitrary scripts in victims ’ browsers
Action: Immediate patch
AI Analysis

Impact

The Subitem AL Slider plugin for WordPress contains a flaw in its use of the server variable `$_SERVER['PHP_SELF']` that is not properly escaped. This allows an attacker to craft a URL that injects arbitrary JavaScript code which is then reflected back to the visitor’s browser. The injected script can be used to steal session cookies, deface the site, or redirect users to malicious sites. The vulnerability is easy to trigger and does not require any authentication, meaning any site visitor is potentially exploitable.

Affected Systems

WordPress installations using the Subitem AL Slider plugin, vendor alexdtn, in all releases up to and including version 1.0.0. No other vendors or products are currently affected.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, highlighting the potential impact of XSS. The EPSS score of less than 1% reflects a low current exploitation probability, but the awareness of this flaw can still drive future attacks. The vulnerability is not listed in the CISA KEV catalog, so there are no known widespread attacker campaigns exploiting it. The attack vector is likely an unauthenticated user visiting a crafted link or URL containing malicious JavaScript; any user who clicks such a link would be affected.

Generated by OpenCVE AI on April 17, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Subitem AL Slider plugin to the latest version that removes the unsanitized use of `$_SERVER['PHP_SELF']`; if no newer version exists, uninstall or disable the plugin entirely.
  • Modify the plugin code or site’s template to replace `$_SERVER['PHP_SELF']` with a hard‑coded safe value or wrap it in proper escaping functions such as `esc_attr()` or `esc_html()`.
  • Deploy or configure a web application firewall or security plugin to detect and block reflected XSS payloads, and monitor site traffic for suspicious query strings containing script code.

Generated by OpenCVE AI on April 17, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Alexdtn
Alexdtn subitem Al Slider
Wordpress
Wordpress wordpress
Vendors & Products Alexdtn
Alexdtn subitem Al Slider
Wordpress
Wordpress wordpress

Sat, 07 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Alexdtn Subitem Al Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:08.168Z

Reserved: 2026-01-29T16:33:38.550Z

Link: CVE-2026-1634

cve-icon Vulnrichment

Updated: 2026-02-11T15:37:27.427Z

cve-icon NVD

Status : Deferred

Published: 2026-02-07T09:16:00.893

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses