Description
Unauthenticated Cross Site Scripting (XSS) in Quick Interest Slider <= 3.1.6 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quick Interest Slider plugin for WordPress versions up to 3.1.6 contains an unauthenticated reflected XSS flaw. The vulnerability permits an attacker to inject and execute arbitrary client‑side scripts by manipulating request parameters that the plugin echoes back in page output.

Affected Systems

WordPress.com sites that use the Quick Interest Slider plugin 3.1.6 or earlier. The affected component is the plugin installed on a WordPress content management system.

Risk and Exploitability

The flaw has a CVSS score of 7.1 and is unauthenticated, meaning any visitor can trigger it by accessing a specially crafted URL or submitting a form that the plugin processes. The EPSS score is not available, so the exact exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Because no authentication or local privileges are required, the vulnerability is broadly exploitable.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Remediation

Vendor Solution

Update the WordPress Quick Interest Slider Plugin to the latest available version (at least 3.1.7).

OpenCVE Recommended Actions

  • Update the Quick Interest Slider plugin to version 3.1.7 or newer, which addresses the reflected XSS flaw.
  • If the plugin is not required, disable or remove it from the WordPress installation.
  • Implement a strict Content Security Policy to limit the execution of injected scripts as an additional defense.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Quick Interest Slider <= 3.1.6 versions.
Title WordPress Quick Interest Slider plugin <= 3.1.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:34:24.953Z

Reserved: 2026-06-18T14:37:40.347Z

Link: CVE-2026-56039

cve-icon Vulnrichment

Updated: 2026-06-26T15:34:20.767Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')