Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through <= 2.7.1.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that allows arbitrary JavaScript to run in site visitors' browsers
Action: Patch
AI Analysis

Impact

The Image Slider by Ays plugin fails to properly escape user input when rendering slider pages, resulting in a cross‑site scripting flaw. An attacker who can inject content into the slider configuration can cause any visitor to execute malicious JavaScript at the point where the slider is displayed.

Affected Systems

WordPress sites that include Ays Pro: Image Slider by Ays, version 2.7.1 or earlier, are vulnerable. The issue arises from insufficient access control that permits non‑administrators to modify slider content.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, indicating high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to alter slider content, which may be possible if access controls are lax. Successful exploitation would result in client‑side script execution on pages that include the slider, potentially compromising user data and site integrity.

Generated by OpenCVE AI on March 26, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Image Slider by Ays plugin to a version newer than 2.7.1
  • If an update cannot be applied immediately, deactivate or completely remove the plugin from the WordPress installation
  • Restrict access to the slider configuration interface so only administrators can edit content
  • Verify that slider output pages are free of unintended scripts

Generated by OpenCVE AI on March 26, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro image Slider
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro image Slider
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through <= 2.7.1.
Title WordPress Image Slider by Ays plugin <= 2.7.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Ays-pro Image Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:13:18.671Z

Reserved: 2026-03-12T11:12:00.510Z

Link: CVE-2026-32494

cve-icon Vulnrichment

Updated: 2026-03-25T20:03:46.033Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:01.107

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:30Z

Weaknesses