{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4076", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T19:57:39.259Z", "datePublished": "2026-04-22T07:45:32.908Z", "dateUpdated": "2026-04-22T07:45:32.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:32.908Z"}, "affected": [{"vendor": "felipermendes", "product": "Slider Bootstrap Carousel", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Slider Bootstrap Carousel <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26fe0b7b-dbf8-467f-b5e2-86a858eeaf89?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L93"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L93"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L109"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L109"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L113"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L113"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-04-21T19:06:36.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4076", "lastModified": "2026-04-22T09:16:22.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:22.117", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L113"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L47"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/tags/1.0.7/includes/sbc-shortcode.php#L93"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L113"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L47"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-bootstrap-carousel/trunk/includes/sbc-shortcode.php#L93"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26fe0b7b-dbf8-467f-b5e2-86a858eeaf89?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:27:53.046197+00:00", "value": {"mitigation_remediation": ["Upgrade the Slider Bootstrap Carousel plugin to the latest release that includes the proper escape handling for shortcode attributes.", "If an upgrade is not immediately possible, modify the shortcode processing code to escape the 'category' and 'template' attributes with esc_attr() or disable the shortcode entirely until the patch is applied.", "Remove any content that has already been injected with malicious scripts by reviewing pages, posts, and widgets and deleting or sanitising the offending shortcodes.", "Apply the same review to all existing user\u2011generated content, monitor the site logs for unusual activity, and restrict contributor users from editing shortcodes until the issue is resolved."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows authenticated contributors to inject arbitrary scripts"}, "threat_synthesis": {"affected_systems": "The flaw affects the Slider Bootstrap Carousel WordPress plugin created by felipermendes. All releases up to and including version 1.0.7 are vulnerable. The infection vector requires the user to have at least Contributor role or higher, and the malicious shortcode must be inserted into a page, post, or widget that is served by a site using one of the affected plugin versions.", "description_and_impact": "Vulnerable versions of the Slider Bootstrap Carousel plugin allow authenticated users with contributor-level privileges to exploit insufficient sanitisation of shortcode attributes. By inserting crafted values into the 'category' and 'template' attributes, an attacker can embed arbitrary JavaScript that is injected into various HTML attributes (id, data\u2011target, href, class). Because the input is stored in the database and rendered unchanged whenever a page containing the shortcode is loaded, the injected code runs for any visitor of that page, leading to potential data theft or session hijacking.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity, with no exploitation probability data in EPSS and the vulnerability not listed in the CISA KEV catalog. Nonetheless, because the flaw relies on stored user input that runs in the browsers of every visitor to affected pages, the potential damage is high. An attacker needs only Contributor access, which is commonly granted to content authors. Once the malicious content is published, it executes automatically, making this vulnerability a significant risk for sites that rely on the plugin."}}}}, "created": "2026-04-22T09:30:13.557318+00:00", "updated": "2026-04-22T09:30:13.557332+00:00", "vendors": []}