Description
The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated contributors to inject arbitrary scripts
Action: Immediate Patch
AI Analysis

Impact

Vulnerable versions of the Slider Bootstrap Carousel plugin allow authenticated users with contributor-level privileges to exploit insufficient sanitisation of shortcode attributes. By inserting crafted values into the 'category' and 'template' attributes, an attacker can embed arbitrary JavaScript that is injected into various HTML attributes (id, data‑target, href, class). Because the input is stored in the database and rendered unchanged whenever a page containing the shortcode is loaded, the injected code runs for any visitor of that page, leading to potential data theft or session hijacking.

Affected Systems

The flaw affects the Slider Bootstrap Carousel WordPress plugin created by felipermendes. All releases up to and including version 1.0.7 are vulnerable. The infection vector requires the user to have at least Contributor role or higher, and the malicious shortcode must be inserted into a page, post, or widget that is served by a site using one of the affected plugin versions.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity, with no exploitation probability data in EPSS and the vulnerability not listed in the CISA KEV catalog. Nonetheless, because the flaw relies on stored user input that runs in the browsers of every visitor to affected pages, the potential damage is high. An attacker needs only Contributor access, which is commonly granted to content authors. Once the malicious content is published, it executes automatically, making this vulnerability a significant risk for sites that rely on the plugin.

Generated by OpenCVE AI on April 22, 2026 at 09:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Slider Bootstrap Carousel plugin to the latest release that includes the proper escape handling for shortcode attributes.
  • If an upgrade is not immediately possible, modify the shortcode processing code to escape the 'category' and 'template' attributes with esc_attr() or disable the shortcode entirely until the patch is applied.
  • Remove any content that has already been injected with malicious scripts by reviewing pages, posts, and widgets and deleting or sanitising the offending shortcodes.
  • Apply the same review to all existing user‑generated content, monitor the site logs for unusual activity, and restrict contributor users from editing shortcodes until the issue is resolved.

Generated by OpenCVE AI on April 22, 2026 at 09:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Felipermendes
Felipermendes slider Bootstrap Carousel
Wordpress
Wordpress wordpress
Vendors & Products Felipermendes
Felipermendes slider Bootstrap Carousel
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Slider Bootstrap Carousel <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Felipermendes Slider Bootstrap Carousel
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T12:15:44.853Z

Reserved: 2026-03-12T19:57:39.259Z

Link: CVE-2026-4076

cve-icon Vulnrichment

Updated: 2026-04-22T12:15:31.767Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:22.117

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:18Z

Weaknesses