Security Alert Summary
The Subitem AL Slider plugin for WordPress has a reflected Cross-Site Scripting (XSS) vulnerability that allows an unauthenticated attacker to inject arbitrary web scripts via the $_SERVER['PHP_SELF'] parameter. The issue affects all versions up to and including 1.0.0 and requires a user interaction (for example, a clicked link) for the injected script to execute in the victim’s browser.
CVE Details
- CVE ID: CVE-2026-1634
- Affected component: Subitem AL Slider plugin for WordPress
- Affected versions: All versions up to and including 1.0.0
- Published: February 7, 2026 at 9:16 AM
- Last modified: February 7, 2026 at 9:16 AM
- CVSS v3.1: Base Score 6.1, Medium — Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Authentication not required; Privileges Required: None; User Interaction: Required
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Technical Details
The vulnerability is a reflected Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter. The CVE description indicates the plugin uses this server variable in its template output, allowing an attacker to craft a URL that embeds script content in the response. The references point to the plugin template file templates/tab1_block1.tpl, where the unsanitized $_SERVER['PHP_SELF'] value is used in page output.
Because the flaw is reflected, an attacker must trick a user into visiting a specially crafted URL (for example, clicking a link). If the victim performs that action while viewing the affected page, the injected script runs in the context of the victim’s browser and can perform actions limited by the browser’s privileges for that page.
How This Could Impact Your Website
In a typical scenario, a site owner or administrator publishes content using the Subitem AL Slider plugin. Internal staff or external contributors viewing affected pages could be targeted by an attacker who distributes a crafted link. If a user clicks the link, the injected script can run in their browser and may expose data visible to that page (for example, user profile information or email addresses displayed on the page) or alter the rendered content for that session.
Practical consequences include exposure of internal user contact information and an increased risk of targeted phishing or social engineering against site staff or contributors. The issue requires attackers to convince users to interact with a malicious link, so social engineering is a likely vector.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (A specific fixed version is not specified in the CVE entry.)
- Review and reduce unnecessary user roles, especially contributor-level accounts that are not required.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, such as unexpected redirects or content changes visible only to logged-in users.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11
- https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11
- https://wordpress.org/plugins/subitem-al-slider/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve