CVE-2026-0680
Stored XSS in Real Post Slider Lite Plugin Affects Multisite
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vojislav_kovacevic | real_post_slider_lite | to 2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0680 is a Stored Cross-Site Scripting (XSS) vulnerability in the Real Post Slider Lite WordPress plugin (version 2.4 and earlier). It occurs because the plugin does not properly sanitize or escape input data submitted via its settings page. Authenticated users with administrator-level access can inject malicious scripts into plugin settings, which are then stored and executed whenever a user views a page containing the injected content. This vulnerability affects multi-site WordPress installations or installations where the unfiltered_html capability is disabled. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject malicious JavaScript code into the plugin's settings. When other users visit pages where the injected script is rendered, the malicious code executes in their browsers. This can lead to session hijacking, defacement, unauthorized actions on behalf of users, or theft of sensitive information. Since it requires admin-level access, the risk is limited to compromised or malicious administrators, but the impact on site integrity and user security can be significant. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Real Post Slider Lite WordPress plugin version 2.4 or earlier is installed on a multisite WordPress installation or on a site where unfiltered_html is disabled. Since the vulnerability involves stored cross-site scripting via plugin settings, detection involves inspecting the plugin settings for malicious script injections. There are no specific network commands provided in the resources, but administrators can review the plugin options in the WordPress database (e.g., options table) for suspicious script tags or payloads in settings such as category name or post ordering. Additionally, reviewing the plugin version and configuration via WordPress admin or WP-CLI commands like `wp plugin list` and `wp option get <option_name>` can help identify vulnerable setups. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Real Post Slider Lite plugin to a version later than 2.4 if available, where the vulnerability is fixed. 2) Restricting administrator-level access to trusted users only, since exploitation requires authenticated admin access. 3) Enabling unfiltered_html capability if possible, or otherwise carefully sanitizing and reviewing plugin settings to remove any injected scripts. 4) Monitoring and cleaning any stored malicious scripts in plugin settings. 5) Applying general WordPress security best practices such as limiting plugin usage on multisite installations and using security plugins to detect XSS attempts. Since the plugin lacks input sanitization, avoiding use of this plugin or replacing it with a secure alternative is recommended. [2]