WordPress Security Bulletin: Wonka Slide Plugin Vulnerability (CVE-2026-1613)

On this page

Security Alert Summary

The Wonka Slide plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its list_class shortcode attribute. Authenticated users with contributor-level access or higher can inject scripts that are stored and executed when a page containing the injected shortcode is viewed.

CVE Details

  • CVE ID: CVE-2026-1613
  • Affected component: Wonka Slide plugin for WordPress
  • Affected versions: all versions up to and including 1.3.3
  • Published: February 7, 2026 at 9:16 AM UTC
  • Last modified: February 7, 2026 at 9:16 AM UTC
  • CVSS v3.1: Base Score 6.4 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User Interaction: Requires an authenticated attacker with contributor-level access or higher; Privileges Required: LOW; User Interaction: NONE
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE: CWE-79 (Cross-site Scripting)

Technical Details

According to the CVE description, the plugin fails to sufficiently sanitize and escape user-supplied attributes for the list_class shortcode. Because attribute input is not properly validated or escaped before output, an authenticated user with contributor-level privileges or higher can include arbitrary script content in the shortcode attribute. That script is stored by the plugin and will execute in the context of any user who views the affected page, leading to a stored (persistent) XSS condition.

How This Could Impact Your Website

In a typical small-to-midsize WordPress site, a contributor or an external contractor with contributor access could add or edit content using the affected shortcode to include a malicious list_class value. When internal staff (for example, editors or administrators) or site visitors view the page, the injected script can run in their browsers. Practical consequences include limited disclosure of page content or user-visible data and the display of malicious content that could be used for targeted phishing or social engineering against staff or users. The CVSS metrics indicate confidentiality and integrity impacts are low and availability is not impacted; this means attackers can affect data shown in the page and perform script-based actions in viewers’ browsers, but the vulnerability does not indicate remote server takeover.

professional review may be worth considering if you’re unsure whether your site is affected or how to assess your current user roles and plugins.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
  • Review and reduce unnecessary user roles—especially contributor-level accounts—and restrict who can add or edit shortcode content.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and page content for unusual changes or unexpected script injections.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References