CVE-2026-0680
Unknown Unknown - Not Provided
Stored XSS in Real Post Slider Lite Plugin Affects Multisite

Publication date: 2026-01-14

Last updated on: 2026-01-14

Assigner: Wordfence

Description
The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-14
Last Modified
2026-01-14
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0680
EUVD
EUVD-2026-2536
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vojislav_kovacevic real_post_slider_lite to 2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0680 is a Stored Cross-Site Scripting (XSS) vulnerability in the Real Post Slider Lite WordPress plugin (version 2.4 and earlier). It occurs because the plugin does not properly sanitize or escape input data submitted via its settings page. Authenticated users with administrator-level access can inject malicious scripts into plugin settings, which are then stored and executed whenever a user views a page containing the injected content. This vulnerability affects multi-site WordPress installations or installations where the unfiltered_html capability is disabled. [2]

Impact Analysis

This vulnerability can allow an attacker with administrator privileges to inject malicious JavaScript code into the plugin's settings. When other users visit pages where the injected script is rendered, the malicious code executes in their browsers. This can lead to session hijacking, defacement, unauthorized actions on behalf of users, or theft of sensitive information. Since it requires admin-level access, the risk is limited to compromised or malicious administrators, but the impact on site integrity and user security can be significant. [2]

Detection Guidance

This vulnerability can be detected by checking if the Real Post Slider Lite WordPress plugin version 2.4 or earlier is installed on a multisite WordPress installation or on a site where unfiltered_html is disabled. Since the vulnerability involves stored cross-site scripting via plugin settings, detection involves inspecting the plugin settings for malicious script injections. There are no specific network commands provided in the resources, but administrators can review the plugin options in the WordPress database (e.g., options table) for suspicious script tags or payloads in settings such as category name or post ordering. Additionally, reviewing the plugin version and configuration via WordPress admin or WP-CLI commands like `wp plugin list` and `wp option get <option_name>` can help identify vulnerable setups. [1, 2]

Mitigation Strategies

Immediate mitigation steps include: 1) Updating the Real Post Slider Lite plugin to a version later than 2.4 if available, where the vulnerability is fixed. 2) Restricting administrator-level access to trusted users only, since exploitation requires authenticated admin access. 3) Enabling unfiltered_html capability if possible, or otherwise carefully sanitizing and reviewing plugin settings to remove any injected scripts. 4) Monitoring and cleaning any stored malicious scripts in plugin settings. 5) Applying general WordPress security best practices such as limiting plugin usage on multisite installations and using security plugins to detect XSS attempts. Since the plugin lacks input sanitization, avoiding use of this plugin or replacing it with a secure alternative is recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0680. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart