CVE-2026-5767 Overview
CVE-2026-5767 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the SlideShowPro SC plugin for WordPress in all versions up to and including 1.0.2. The flaw resides in the slideShowProSC shortcode handler, which fails to sanitize user-supplied attributes or escape output. Authenticated users with contributor-level access or higher can inject arbitrary JavaScript into pages. The payload executes in the browser of any visitor who renders the affected page. The vulnerability is classified under CWE-79.
Critical Impact
Contributor-level accounts can persist JavaScript that runs against administrators and site visitors, enabling session theft, content manipulation, and privilege escalation through admin-targeted payloads.
Affected Products
- SlideShowPro SC plugin for WordPress versions 1.0.0 through 1.0.2
- WordPress sites permitting contributor-level account registration
- WordPress sites embedding the slideShowProSC shortcode in published content
Discovery Timeline
- 2026-04-22 - CVE-2026-5767 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5767
Vulnerability Analysis
The SlideShowPro SC plugin registers a WordPress shortcode named slideShowProSC. When WordPress encounters this shortcode in post or page content, it invokes the plugin's handler at slideshowpro_sc.php line 287. The handler concatenates shortcode attributes directly into the HTML output without applying sanitization functions such as esc_attr(), esc_html(), or wp_kses().
Because WordPress contributors can author posts containing shortcodes, any user at contributor level or above can supply attribute values containing JavaScript. The injected script is stored in the post content within the database and executes each time the page is rendered. The vulnerability scope is changed because script executes in the context of the WordPress site, potentially affecting administrative users who review submissions.
For implementation specifics, see the WordPress Plugin Code Review.
Root Cause
The root cause is insufficient input sanitization and missing output escaping on shortcode attributes [CWE-79]. The plugin trusts attribute values produced by authenticated authors and emits them into HTML attribute contexts without encoding.
Attack Vector
An attacker with contributor-level credentials creates a post that embeds the slideShowProSC shortcode with attribute values containing a JavaScript payload. After the post is submitted for review or published, the stored payload executes in the browser of any user who loads the page, including editors and administrators who preview the submission.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-5767
Indicators of Compromise
- Post or page content containing slideShowProSC shortcode attributes with <script> tags, javascript: URIs, or event handlers such as onerror= and onclick=
- Unexpected outbound requests from administrator browsers to attacker-controlled domains shortly after viewing contributor submissions
- New WordPress administrator accounts or modified user roles correlated with contributor login activity
Detection Strategies
- Query the wp_posts table for post_content matching the shortcode pattern combined with HTML event handlers or <script substrings
- Inspect plugin file slideshowpro_sc.php for version 1.0.2 or earlier using file integrity monitoring
- Review web server access logs for contributor account activity preceding administrative session anomalies
Monitoring Recommendations
- Alert on creation or modification of posts by contributor-level accounts that include shortcode attributes containing angle brackets or on*= patterns
- Monitor WordPress audit logs for role escalations and unauthorized changes to wp_options
- Forward WordPress and web server telemetry to a centralized data lake for correlation across authentication, content, and network events
How to Mitigate CVE-2026-5767
Immediate Actions Required
- Deactivate and remove the SlideShowPro SC plugin until a patched release is available
- Audit contributor and author accounts; disable any that are unused or unverified
- Scan existing post and page content for malicious payloads embedded within the slideShowProSC shortcode
Patch Information
At the time of publication, no fixed version is identified in the NVD record. Versions through 1.0.2 remain vulnerable. Track the WordPress Plugin Code Repository for updates and consult the Wordfence Vulnerability Report for remediation guidance.
Workarounds
- Remove the plugin entirely if shortcode functionality is not business-critical
- Restrict the contributor role from posting shortcodes using a capability management plugin or custom filter on the_content
- Deploy a web application firewall (WAF) rule that blocks shortcode attributes containing <script, javascript:, or HTML event handler patterns
# Configuration example: disable the plugin via WP-CLI
wp plugin deactivate slideshowpro-shortcode
wp plugin delete slideshowpro-shortcode
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
