Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS.

This issue affects SliceWP: from n/a through 1.2.6.
Published: 2026-06-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation, commonly referred to as Cross‑Site Scripting. The flaw allows user‑supplied data to be stored in the SliceWP plugin and later rendered without sanitization, giving an attacker the ability to inject malicious scripts that execute in the browsers of visitors who view the content. The weakness corresponds to CWE‑79 and can lead to theft of session data, defacement of the site, and execution of arbitrary code within the user context.

Affected Systems

The affected product is the WordPress SliceWP plugin from vendor iova.mihai. All releases from the first statement of support through version 1.2.6 are vulnerable; upgrading to 1.2.7 or later removes the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability is a stored XSS, which is likely exploitable through any interface that accepts input via the SliceWP plugin such as content entry forms or custom fields. An attacker with write access to that interface can inject malicious payloads that will then execute in the browsers of all visitors rendering the stored content.

Generated by OpenCVE AI on June 11, 2026 at 22:51 UTC.

Remediation

Vendor Solution

Update the WordPress SliceWP Plugin to the latest available version (at least 1.2.7).


OpenCVE Recommended Actions

  • Upgrade the WordPress SliceWP Plugin to version 1.2.7 or later.
  • If an immediate upgrade is not possible, temporarily disable or remove the SliceWP plugin to eliminate the vulnerable code paths.
  • After disabling the plugin, scan the site for any remaining injected scripts and remove them from stored content.

Generated by OpenCVE AI on June 11, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Iova.mihai
Iova.mihai slicewp
Wordpress
Wordpress wordpress
Vendors & Products Iova.mihai
Iova.mihai slicewp
Wordpress
Wordpress wordpress

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6.
Title WordPress SliceWP plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Iova.mihai Slicewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-12T13:43:54.132Z

Reserved: 2026-04-29T09:04:43.153Z

Link: CVE-2026-42653

cve-icon Vulnrichment

Updated: 2026-06-12T13:43:50.655Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T22:16:56.573

Modified: 2026-06-12T13:13:53.050

Link: CVE-2026-42653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:21:29Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')