CVE-2026-1899
Stored XSS in Any Post Slider WordPress Plugin
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_any_post_slider | any_post_slider | to 1.0.4 (inc) |
| it_path_solutions | any_post_slider | to 1.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through its aps_slider shortcode in all versions up to and including 1.0.4.
This vulnerability arises because the plugin does not properly sanitize or escape the 'post_type' attribute input, allowing authenticated users with Contributor-level access or higher to inject malicious scripts.
These injected scripts are stored and executed whenever any user accesses the affected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or higher to inject malicious scripts into pages viewed by other users.
The impact includes the potential theft of user credentials, session hijacking, defacement of the website, or execution of unauthorized actions on behalf of users.
Since the vulnerability has a CVSS v3.1 base score of 6.4, it is considered a medium severity issue that can lead to confidentiality and integrity loss but does not affect availability.
What immediate steps should I take to mitigate this vulnerability?
The Any Post Slider plugin for WordPress has been temporarily closed and is unavailable for download as of March 2, 2026, pending a full review.
Immediate mitigation steps include disabling or uninstalling the Any Post Slider plugin (version 1.0.4 and earlier) to prevent exploitation of the stored cross-site scripting vulnerability.
Ensure that only trusted users have Contributor-level access or higher, as the vulnerability requires authenticated users with such privileges to exploit.
Monitor for updates or patches from the plugin developers or WordPress plugin repository before re-enabling the plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know