Description
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The jQuery googleslides plugin for WordPress allows authenticated users with contributor or higher privileges to inject arbitrary scripts into posts by using the googleslides shortcode. Because the plugin concatenates user‑supplied shortcode attributes directly into single‑quoted HTML attributes without proper escaping, this flaw is a stored cross‑site scripting vulnerability (CWE‑79). An attacker can store malicious JavaScript that will run in the browser whenever any visitor views a page containing the shortcode. The CVE description does not explicitly state the potential consequences, but based on typical XSS behavior, it is inferred that attackers could potentially cause data theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects the WordPress plugin "jQuery googleslides" developed by bradyholt, versions 1.3 and earlier. Users who are contributors or have higher roles on the site can exploit it, provided the malicious shortcode is inserted into editable content such as posts or pages.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not available, but the lack of a KEV listing suggests no widespread exploitation at this time. The attack requires authenticated access with contributor or higher permissions and the ability to insert or edit the googleslides shortcode. Once the shortcode containing malicious attributes is stored, the attack automatically executes whenever a visitor loads the affected page, making exploitation easy for the attacker, though the specific impact on end users is not detailed in the CVE description.

Generated by OpenCVE AI on May 27, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the jQuery googleslides plugin to a version newer than 1.3 if available, or remove the plugin entirely from the WordPress installation.
  • Restrict contributor and lower roles from inserting content that can contain shortcodes, or use a role‑based content restriction plugin to block contributors from editing posts or pages containing the googleslides shortcode.
  • If an update is not feasible, apply a code patch that sanitizes all shortcode attributes by using WordPress’s esc_attr() function before outputting them within HTML attributes.

Generated by OpenCVE AI on May 27, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Bradyholt
Bradyholt jquery Googleslides
Wordpress
Wordpress wordpress
Vendors & Products Bradyholt
Bradyholt jquery Googleslides
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title jQuery googleslides <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bradyholt Jquery Googleslides
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:37:03.133Z

Reserved: 2026-05-18T20:11:21.908Z

Link: CVE-2026-8866

cve-icon Vulnrichment

Updated: 2026-05-27T10:36:58.122Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:15.983

Modified: 2026-05-27T07:16:15.983

Link: CVE-2026-8866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:27Z

Weaknesses