Description
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated contributor or higher to embed arbitrary scripts into the slider shortcode, resulting in script execution for visitors to the injected page. This can lead to defacement, cookie theft, or other malicious actions that compromise confidentiality and integrity.

Affected Systems

Any Post Slider plugin from vendor itpathsolutions, versions up to and including 1.0.4 are affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity while the lack of an EPSS score does not quantify exploit probability; the vulnerability is not listed in the KEV catalog. Attackers need only authenticated access with Contributor level or higher and the ability to add or edit slider shortcodes. Once an affected shortcode is stored, the injected script executes in the browsers of any user who views the page containing that slider.

Generated by OpenCVE AI on March 21, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Any Post Slider plugin to a version newer than 1.0.4 or to the latest release.
  • If an update is not immediately available, remove or deactivate the plugin to prevent further exploitation.
  • Restrict Contributor or higher roles to trusted users, or else enforce least‑privilege access on the WordPress site.
  • Monitor site content for unexpected script insertion and review logs for suspicious activity.

Generated by OpenCVE AI on March 21, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Itpathsolutions
Itpathsolutions any Post Slider
Wordpress
Wordpress wordpress
Vendors & Products Itpathsolutions
Itpathsolutions any Post Slider
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Itpathsolutions Any Post Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:38.385Z

Reserved: 2026-02-04T14:47:53.157Z

Link: CVE-2026-1899

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:42.025Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:56.067

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-1899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:10Z

Weaknesses