Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS.

This issue affects SliceWP: from n/a through 1.2.6.
Published: 2026-06-11
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation, commonly referred to as Cross‑Site Scripting. The flaw allows user‑supplied data to be stored in the SliceWP plugin and later rendered without sanitization, giving an attacker the ability to inject malicious scripts that execute in the browsers of visitors who view the content. The weakness corresponds to CWE‑79 and can lead to theft of session data, defacement of the site, and execution of arbitrary code within the user context.

Affected Systems

The affected product is the WordPress SliceWP plugin from vendor iova.mihai. All releases from the first statement of support through version 1.2.6 are vulnerable; upgrading to 1.2.7 or later removes the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability is a stored XSS, which is likely exploitable through any interface that accepts input via the SliceWP plugin such as content entry forms or custom fields. An attacker with write access to that interface can inject malicious payloads that will then execute in the browsers of all visitors rendering the stored content.

Generated by OpenCVE AI on June 11, 2026 at 22:51 UTC.

Remediation

Vendor Solution

Update the WordPress SliceWP Plugin to the latest available version (at least 1.2.7).

OpenCVE Recommended Actions

  • Upgrade the WordPress SliceWP Plugin to version 1.2.7 or later.
  • If an immediate upgrade is not possible, temporarily disable or remove the SliceWP plugin to eliminate the vulnerable code paths.
  • After disabling the plugin, scan the site for any remaining injected scripts and remove them from stored content.

Generated by OpenCVE AI on June 11, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6.
Title WordPress SliceWP plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T21:07:15.235Z

Reserved: 2026-04-29T09:04:43.153Z

Link: CVE-2026-42653

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:56.573

Modified: 2026-06-11T22:16:56.573

Link: CVE-2026-42653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')