CVE-2026-6672 Overview
CVE-2026-6672 is a Stored Cross-Site Scripting (XSS) vulnerability in the Affiliate Program Suite — SliceWP Affiliates plugin for WordPress. The flaw affects all versions up to and including 1.2.7. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the slicewp_affiliate_url shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any user who views the affected page, enabling session theft, credential harvesting, or redirection attacks.
Critical Impact
Authenticated contributors can persist arbitrary JavaScript through the slicewp_affiliate_url shortcode, executing scripts in the browsers of administrators and visitors who load affected pages.
Affected Products
- Affiliate Program Suite — SliceWP Affiliates plugin for WordPress
- All versions up to and including 1.2.7
- WordPress sites permitting contributor-level or higher account registration
Discovery Timeline
- 2026-05-06 - CVE-2026-6672 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-6672
Vulnerability Analysis
The vulnerability is a Stored Cross-Site Scripting issue classified under [CWE-79]. The slicewp_affiliate_url shortcode processes user-supplied attributes without applying adequate sanitization on input or escaping on output. When a contributor embeds the shortcode into a post or page, attribute values flow into the rendered HTML without being filtered through WordPress functions such as esc_attr() or esc_url(). Any visitor who loads the page executes the attacker-controlled payload in their browser session.
Because the payload persists in the database, the attack does not require continued attacker interaction. The scope is marked as changed, reflecting that script execution affects users beyond the attacker's privilege boundary, including authenticated administrators.
Root Cause
The root cause is missing input validation and missing output encoding on shortcode attributes. WordPress shortcodes accept attributes as key-value pairs that authors control. When the plugin renders the slicewp_affiliate_url shortcode, attribute values are emitted directly into HTML context without being passed through escaping helpers. The fix in changeset 3517135 adjusts the shortcode handler to properly sanitize and escape these attributes.
Attack Vector
An attacker first obtains a WordPress account at contributor level or above. Account creation may be possible through open registration, social engineering, or credential reuse. The attacker then drafts a post that includes the slicewp_affiliate_url shortcode with a malicious attribute value containing JavaScript, such as an event handler attribute or a javascript: URL. Once the post is published or previewed by a higher-privileged user such as an editor or administrator, the script executes in that user's browser context, potentially leading to session hijacking or privilege escalation through administrative actions performed on behalf of the victim.
No verified public exploit code is available. The vulnerability mechanism is documented in the Wordfence Vulnerability Report and the WordPress Plugin Changeset.
Detection Methods for CVE-2026-6672
Indicators of Compromise
- Posts or pages containing the slicewp_affiliate_url shortcode with attribute values that include <script>, onerror=, onload=, or javascript: patterns
- Unexpected outbound requests from administrator browsers to attacker-controlled domains shortly after viewing posts authored by contributors
- New administrator accounts, modified user roles, or altered plugin and theme files following contributor activity
Detection Strategies
- Audit the WordPress wp_posts table for shortcode usage with suspicious attribute content using a query that searches for slicewp_affiliate_url combined with HTML or JavaScript metacharacters
- Review web server access logs for requests to admin pages immediately followed by anomalous POST requests originating from administrator sessions
- Monitor browser content security policy (CSP) violation reports for inline script execution on pages rendering the affected shortcode
Monitoring Recommendations
- Enable verbose logging on the WordPress site, including content modifications by contributor-level users
- Track creation, modification, and publication events on posts containing shortcodes from the SliceWP plugin
- Alert on privilege changes, new user creation, and plugin or theme file modifications that occur outside scheduled maintenance windows
How to Mitigate CVE-2026-6672
Immediate Actions Required
- Update the Affiliate Program Suite — SliceWP Affiliates plugin to a version newer than 1.2.7 that incorporates the fix from changeset 3517135
- Audit existing posts and pages for malicious use of the slicewp_affiliate_url shortcode and remove any injected payloads
- Review contributor-level and higher accounts for legitimacy and rotate credentials for any suspicious accounts
Patch Information
The vendor patched the vulnerability in the SliceWP plugin repository. The fix is available in the WordPress Plugin Changeset 3517135, which adds proper sanitization and output escaping for the slicewp_affiliate_url shortcode attributes. Site administrators should apply the update through the WordPress plugin management interface.
Workarounds
- Restrict contributor and author account creation until the patch is applied, particularly disabling open registration
- Remove or disable the SliceWP Affiliates plugin if an immediate update cannot be performed
- Deploy a web application firewall rule that inspects post content for shortcode attributes containing HTML tags, event handlers, or javascript: URIs
- Enforce a strict Content Security Policy that blocks inline scripts on the WordPress front end to limit XSS payload execution
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
