Description
The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SP Blog Designer WordPress plugin contains a flaw where the design attribute of the wpsbd_post_carousel shortcode is stored without proper sanitization, allowing an attacker with Contributor or higher privileges to inject arbitrary scripts into carousel pages. This is a CWE‑79 stored XSS vulnerability that enables malicious code execution on pages viewed by any site visitor.

Affected Systems

All releases of SoftPulse Infotech’s SP Blog Designer plugin up to and including version 1.0.0 are affected. Sites that have installed the plugin and grant Contributor or higher users the right to edit carousel shortcodes are vulnerable.

Risk and Exploitability

The CVSS score of 6.4 reflects a moderate severity according to the CVSS v3.1 base metrics. Because the vulnerability is stored and requires authenticated access with Contributor or higher role, an attacker must first have such permissions on the site. Once a script is injected, it executes in the browsers of anyone who views that page. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, indicating no publicly known exploits yet. Any site that allows contributors to edit carousel shortcodes is vulnerable and should act promptly.

Generated by OpenCVE AI on May 12, 2026 at 10:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SP Blog Designer to the latest version (1.0.1 or newer).
  • Revoke Contributor or higher role permissions from users who do not need to edit carousel elements.
  • Deploy a Web Application Firewall or enforce a content security policy to block execution of injected scripts as a temporary safeguard.

Generated by OpenCVE AI on May 12, 2026 at 10:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Softpulse Infotech
Softpulse Infotech sp Blog Designer
Wordpress
Wordpress wordpress
Vendors & Products Softpulse Infotech
Softpulse Infotech sp Blog Designer
Wordpress
Wordpress wordpress

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Softpulse Infotech Sp Blog Designer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T21:14:03.472Z

Reserved: 2026-03-25T16:00:47.761Z

Link: CVE-2026-4859

cve-icon Vulnrichment

Updated: 2026-05-12T21:13:58.961Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:54.390

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-4859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:30:13Z

Weaknesses