Attack Vectors

Slideshow Wp (slug: slideshow-wp) versions 1.1 and earlier are affected by a Medium-severity issue (CVSS 6.4) tracked as CVE-2026-1885. The risk comes from a stored cross-site scripting (XSS) vulnerability tied to the sswp-slide shortcode, specifically the sswpid attribute.

In practical terms, an attacker needs authenticated access with contributor-level permissions or higher. From there, they can place malicious content into a page or post that uses the relevant shortcode. Because the script is stored in site content, it can execute later when anyone visits the affected page—often without the victim clicking anything unusual.

Security Weakness

The core weakness is insufficient input sanitization and output escaping of user-supplied shortcode attributes in Slideshow Wp up to and including version 1.1. This allows untrusted content placed into the sswpid attribute to be saved and then rendered back to visitors in a way that can run in their browser.

This is especially important for organizations where multiple teams publish content (marketing, comms, agencies, regional teams). Contributor-level access is common in these workflows, which increases the likelihood that compromised credentials, a malicious insider, or an overly broad permission model could be leveraged to inject harmful scripts into customer-facing pages.

Technical or Business Impacts

Stored XSS can create immediate brand and trust risk because visitors may see unexpected redirects, pop-ups, altered page content, or behavior that looks like your site has been “hacked.” Even if the impact is limited to a subset of pages, customers and partners typically judge the organization’s security posture by what they experience on the site.

From an operational and compliance standpoint, this type of issue can lead to session or account compromise for users who view the injected page, including employees accessing administrative areas through the same browser session. That can increase the chance of follow-on incidents (e.g., unauthorized content changes, lead form tampering, analytics manipulation) that directly affect pipeline reporting, marketing attribution, and executive dashboards.

There is currently no known patch available per the reported details. Organizations should evaluate mitigations based on risk tolerance; in many cases, the safest business decision is to remove/uninstall Slideshow Wp and replace it with a maintained alternative. At minimum, review who has contributor (or higher) access, reduce permissions to the lowest necessary level, and monitor for unexpected changes to pages using the sswp-slide shortcode.

Similar Attacks: Stored XSS in WordPress ecosystems has been used in real-world incidents to inject malicious scripts into site pages and content. Examples include Elementor vulnerability coverage by Wordfence and Popup Builder plugin vulnerability coverage by Wordfence.