{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1275", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T21:58:43.839Z", "datePublished": "2026-03-21T03:26:59.781Z", "dateUpdated": "2026-03-23T17:53:57.409Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:59.781Z"}, "affected": [{"vendor": "gbsdeveloper", "product": "Multi Post Carousel by Category", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b27ecbf7-e97d-42c0-98d4-c235edf40669?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-post-carousel/trunk/multi-post-carousel.php#L174"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-post-carousel/tags/1.4/multi-post-carousel.php#L174"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-03-20T15:20:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:53:35.997457Z", "id": "CVE-2026-1275", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:53:57.409Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1275", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:53:35.997457Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:53:46.768Z"}}], "cna": {"title": "Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gbsdeveloper", "product": "Multi Post Carousel by Category", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:20:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b27ecbf7-e97d-42c0-98d4-c235edf40669?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-post-carousel/trunk/multi-post-carousel.php#L174"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-post-carousel/tags/1.4/multi-post-carousel.php#L174"}], "descriptions": [{"lang": "en", "value": "The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:59.781Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1275", "state": "PUBLISHED", "dateUpdated": "2026-03-23T17:53:57.409Z", "dateReserved": "2026-01-20T21:58:43.839Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:59.781Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-1275", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:16:52.253", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/multi-post-carousel/tags/1.4/multi-post-carousel.php#L174"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/multi-post-carousel/trunk/multi-post-carousel.php#L174"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b27ecbf7-e97d-42c0-98d4-c235edf40669?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Multi Post Carousel by Category", "source": "cna", "vendor": "gbsdeveloper"}, "product": "multi_post_carousel_by_category", "vendor": "gbsdeveloper"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:21:41.242295+00:00", "value": {"mitigation_remediation": ["Update the Multi Post Carousel by Category plugin to a version newer than 1.4 if a release is available.", "Restrict Contributor and other content\u2011editable roles from adding or editing posts that contain the \"slides\" shortcode; consider removing the shortcodes capability or using role\u2011management plugins to enforce this restriction.", "If an update cannot be applied immediately, disable or remove the plugin entirely or deactivate the shortcode functionality to stop the vulnerability from being usable."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the gbsdeveloper Multi Post Carousel by Category plugin, specifically all versions up to and including 1.4. Sites that have enabled the \"slides\" shortcode in posts or pages are vulnerable. An attacker does not need to compromise the site itself but only needs Contributor\u2011level or higher access to insert the malicious code.", "description_and_impact": "The Multi Post Carousel by Category plugin for WordPress contains a stored cross\u2011site scripting flaw tied to the \"slides\" shortcode attribute. Unsanitized input from that attribute is stored and later output without proper escaping, allowing an attacker who can edit content to inject arbitrary JavaScript that runs whenever a page using the shortcode is viewed by visitors. This can lead to session hijacking, defacement, or phishing attacks against any user who views the affected content.", "risk_and_exploitability": "The vulnerability scores a CVSS of 6.4, indicating medium\u2011to\u2011high severity. EPSS data is not available and it is not listed in CISA's KEV catalog, suggesting it is not a widely exploited vulnerability yet. Exploitation requires an authenticated user with permission to edit content using the shortcode. Once a malicious script is stored, it executes in the browser of any user who opens the affected page, without the need for additional attack steps."}}}}, "created": "2026-03-23T09:50:05.783608+00:00", "updated": "2026-03-25T14:41:46.434776+00:00", "vendors": ["gbsdeveloper", "gbsdeveloper$PRODUCT$multi_post_carousel_by_category", "wordpress", "wordpress$PRODUCT$wordpress"]}