Security Alert Summary
The Slideshow Wp plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the sswpid attribute of the sswp-slide shortcode in all versions up to and including 1.1. Insufficient input sanitization and output escaping of user-supplied shortcode attributes allows authenticated users with contributor-level access or higher to inject JavaScript that will execute when an affected page is viewed.
CVE Details
- CVE ID:
CVE-2026-1885 - Affected plugin / component: Slideshow Wp plugin for WordPress
- Affected versions: All versions up to and including 1.1
- Published: February 11, 2026 at 9:15:53 AM UTC
- Last modified: February 11, 2026 at 3:27:26 PM UTC
- CVSS v3.1: Base score 6.4 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Authentication required — authenticated attackers with contributor-level access and above. Privileges required:
LOW. User interaction:NONE. - Primary impact: Confidentiality:
LOW. Integrity:LOW. Availability:NONE. - CWE / weakness: CWE-79 (Cross-site Scripting)
Technical Details
This issue is a stored cross-site scripting (XSS) vulnerability rooted in insufficient input sanitization and output escaping for a shortcode attribute. The plugin processes the sswp-slide shortcode and accepts an sswpid attribute from authenticated users. Because user-supplied content in that attribute is not properly sanitized before output, an attacker with contributor-level access or higher can insert arbitrary JavaScript payloads into pages or posts that include the shortcode.
The injected script is stored in content and will execute whenever a visitor or authenticated user loads the affected page. The CVSS scope is reported as CHANGED, and the vector indicates network-based exploitation with low complexity and no required user interaction.
How This Could Impact Your Website
Consider a typical site workflow: a site owner permits internal staff and external contributors to add or edit content. A contributor with the ability to insert or edit slides using the plugin’s shortcode could add malicious script into the sswpid attribute. When other users — including editors, administrators, or site visitors — view the affected page, the script will run in their browsers.
Realistic consequences include exposure of low-sensitivity data and the potential for limited integrity impacts such as page content manipulation or client-side actions performed on behalf of a user. Because confidentiality and integrity impacts are rated as LOW, this does not, based on the provided data, imply an immediate full site takeover, but it does increase risk:
- Exposure of internal user information displayed on pages where the shortcode is used.
- Increased risk of targeted phishing or social engineering if attacker-controlled scripts capture identifiable information or influence content displayed to users.
- Potential for unauthorized client-side actions executed in the context of a victim’s browser, depending on what the injected script does and which users view the page.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed or patched version.)
- Review and reduce unnecessary user roles, especially contributors and any accounts with editing privileges.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and content edits for unusual behavior, especially changes to pages or posts that include the
sswp-slideshortcode.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
