Quick Interest Slider Plugin Vulnerability (CVE-2026-5694)

Security Alert Summary

The Quick Interest Slider WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in its handling of the loan-amount and loan-period parameters in all versions up to and including 3.1.5. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject scripts that execute when an affected page is viewed.

CVE Details

• CVE ID: CVE-2026-5694
• Affected component: Quick Interest Slider plugin for WordPress
• Affected versions: All versions up to and including 3.1.5
• Published: April 15, 2026 at 9:16:33 AM
• Last modified: April 15, 2026 at 9:16:33 AM
• CVSS v3.1: Base score 7.2, Severity: HIGH
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
• Authentication / access: No authentication required (unauthenticated attacker can trigger the issue)
• CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping of the loan-amount and loan-period parameters. Data supplied to those parameters can be stored and later rendered in pages without proper escaping, allowing arbitrary web scripts to execute in the context of a visitor’s browser when they view an injected page.

The description identifies the specific parameters that are improperly handled. Because the issue is stored XSS, injected payloads persist on the site and execute for any user who views the affected content.

How This Could Impact Your Website

In a realistic scenario, an unauthenticated attacker could submit crafted input through the affected parameters and store script payloads that run when staff or visitors view the page. For example:

• The site owner or administrators may remain unaware that pages served by the plugin contain injected scripts.
• Internal staff or external contractors who view the injected page could have session data or client-side accessible information exposed to the injected script, consistent with the CVSS impact ratings (confidentiality and integrity impacts are rated low).
• Exposed user email addresses or other low-sensitivity data visible to the browser could be captured, increasing the risk of targeted phishing or social engineering against site staff or contributors.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributors and other roles with content submission capabilities.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from the site.
• Monitor site activity and logs for unusual content submissions or unexpected page changes.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1335
• http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1338
• https://www.wordfence.com/threat-intel/vulnerabilities/id/e3ce37e7-1dca-4f74-86ce-65bf29ef091e?source=cve