What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aakif Kadiwala Posts Slider Shortcode posts-slider-shortcode allows DOM-Based XSS.This issue affects Posts Slider Shortcode: from n/a through <= 1.0.
Explanation of Vulnerability in Simple Terms
02Summary
Posts Slider Shortcode versions 1.0 and earlier contain a cross-site scripting (XSS) vulnerability. An attacker with low-level site access can inject malicious scripts into slider content. When a site administrator or other user views the affected slider, the attacker's script runs in their browser, potentially stealing session tokens or performing actions on their behalf. The vulnerability requires user interaction—the victim must view a page containing the malicious slider.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in other users' browsers when they view the slider.
Potential impact on your site
04Site Impact
Attackers with contributor access can compromise admin sessions or steal sensitive data from site visitors viewing affected sliders.
Conditions required to exploit
05Prerequisites
Attacker needs low-level site access (e.g., contributor role) and the victim must view a page with the malicious slider.
Key dates
06Disclosure timeline
July 4, 2025
CVE published
April 28, 2026
Record updated