CVE-2026-9022
Deferred Deferred - Pending Action
Stored XSS in Splide Carousel Block WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published before it executes for site visitors, which requires an editor or administrator to approve and publish the contributor's post.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-9022
EUVD
EUVD-2026-32042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
splide splide_carousel_block to 1.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Splide Carousel Block plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'url' Block Attribute in all versions up to and including 1.7.1. This vulnerability arises because the plugin does not properly sanitize input or escape output. As a result, authenticated users with contributor-level access or higher can inject malicious web scripts into pages.

These injected scripts execute whenever a user visits the affected page, but the malicious payload must first be published by an editor or administrator before it becomes active.

Impact Analysis

This vulnerability can allow attackers with contributor-level access to inject arbitrary scripts into web pages, which will execute in the browsers of visitors to those pages.

  • It can lead to theft of user credentials or session tokens.
  • It can enable attackers to perform actions on behalf of users or deface the website.
  • The attack requires that the injected content be published by an editor or administrator, so the risk depends on the site's editorial controls.
Mitigation Strategies

To mitigate this vulnerability, you should update the Splide Carousel Block plugin for WordPress to a version later than 1.7.1 where the issue is fixed.

Additionally, restrict contributor-level users from publishing content without review by an editor or administrator to prevent malicious scripts from being published.

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'url' Block Attribute in the Splide Carousel Block plugin for WordPress. Detection typically involves inspecting posts or pages for injected malicious scripts in the 'url' attribute of the block.

Since the vulnerability requires an authenticated contributor to inject the payload and an editor or administrator to publish it, detection can include reviewing recent posts or pages created or edited by contributors for suspicious script tags or unusual URL attributes.

There are no specific commands provided in the available resources or CVE description to detect this vulnerability directly on a network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart