Description
The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authenticated users with Contributor-level permissions to inject arbitrary JavaScript into the 'alwaysauto' attribute of the Slideshow Gallery LITE shortcode. The plugin fails to sanitize or escape this attribute, resulting in stored XSS that executes in any browser that views the affected page. An attacker could hijack sessions, steal credentials, or execute other malicious actions within the site context. The weakness corresponds to CWE-79, a classic cross‑site scripting flaw.

Affected Systems

This flaw exists in all releases of the Slideshow Gallery LITE WordPress plugin up to and including version 1.8.5, as supplied by Contrid. Any site running those versions is at risk; newer releases are not affected.

Risk and Exploitability

With a CVSS score of 6.4 the severity is medium. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV, indicating low current exploitation pressure. However, the attack vector requires an authenticated Contributor account or higher, so compromise of an account or use of social‑engineering to gain elevated privileges could enable exploitation. The stored nature of the XSS means injected content will persist and affect all future page views by any user.

Generated by OpenCVE AI on June 18, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Slideshow Gallery LITE plugin to the latest release (i.e., any version newer than 1.8.5).
  • If an update cannot be performed immediately, restrict or remove the 'alwaysauto' shortcode attribute from the plugin code or disable the shortcode entirely to prevent unsanitized input from being stored.
  • Deploy a web‑application firewall or input‑validation filter to block or sanitize JavaScript payloads injected into the 'alwaysauto' attribute for protected users.

Generated by OpenCVE AI on June 18, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Contrid
Contrid slideshow Gallery Lite
Wordpress
Wordpress wordpress
Vendors & Products Contrid
Contrid slideshow Gallery Lite
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Slideshow Gallery LITE <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alwaysauto' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Contrid Slideshow Gallery Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T15:53:49.109Z

Reserved: 2026-02-05T20:06:46.826Z

Link: CVE-2026-2021

cve-icon Vulnrichment

Updated: 2026-06-18T15:53:45.370Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:42:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')