Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through <= 2.0.6.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting allowing arbitrary script execution in user browsers
Action: Patch Immediately
AI Analysis

Impact

Improper neutralization of input during web page generation allows malicious user data to be reflected unencoded in HTML and executed as JavaScript in the victim's browser. This DOM‑based XSS can be leveraged to hijack sessions, deface the site, or perform phishing attacks and follows the parameters of CWE‑79 with a medium CVSS score of 6.5.

Affected Systems

The B Slider WordPress plugin provided by bPlugins is vulnerable in every release up to and including version 2.0.6; sites running these versions are affected.

Risk and Exploitability

The CVSS score of 6.5 combined with an EPSS probability of less than 1 percent suggests moderate severity and low exploitation likelihood. The vulnerability does not appear in the CISA KEV catalog, indicating no broad, documented exploitation. Based on the description, the likely attack vector involves supplying malicious input that the plugin incorporates into a page without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in the context of a site visitor.

Generated by OpenCVE AI on April 16, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the B Slider plugin to version 2.0.7 or later to remove the DOM‑based XSS flaw.
  • If upgrading is not immediately possible, disable the B Slider plugin for all non‑admin traffic or strip user input before rendering it to prevent reflected execution.
  • Deploy a site‑wide Content Security Policy that restricts inline scripts, thereby limiting the impact of any residual injection attempts.

Generated by OpenCVE AI on April 16, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Bplugins
Bplugins b Slider
Wordpress
Wordpress wordpress
Vendors & Products Bplugins
Bplugins b Slider
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through <= 2.0.6.
Title WordPress B Slider plugin <= 2.0.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Bplugins B Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:48.420Z

Reserved: 2026-01-22T14:42:48.125Z

Link: CVE-2026-24383

cve-icon Vulnrichment

Updated: 2026-01-27T20:49:49.548Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:41.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses