PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8866 bradyholt CVE debrief

The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'googleslides' shortcode in all versions up to and including 1.3. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) within the googleslides_handler() function. These attribute values are interpolated directly into single-quoted HTML attributes without using esc_attr(), enabling authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access injected pages. The CVSS 3.1 score of 6.4 (Medium) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and changed scope with low impacts to confidentiality and integrity. The vulnerability was disclosed on May 27, 2026, with Wordfence providing technical analysis and source code references. No known exploitation in the wild or ransomware campaign use has been documented.

Vendor
bradyholt
Product
jQuery googleslides
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the jQuery googleslides plugin; security teams managing WordPress content management environments; developers maintaining WordPress plugins with shortcode functionality

Technical summary

The googleslides_handler() function in jQuery googleslides plugin v1.3 and below fails to sanitize or escape user-supplied shortcode attributes before interpolating them into HTML output. The affected attributes—userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed—are inserted directly into single-quoted HTML attributes without WordPress esc_attr() escaping. This allows authenticated contributors and above to inject JavaScript payloads that persist in post/page content and execute in victim browsers. The vulnerability is classified as CWE-79 with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

medium

Recommended defensive actions

  • Update jQuery googleslides plugin to version 1.4 or later if available; otherwise, consider disabling or removing the plugin until a patch is released
  • Review existing posts and pages for suspicious [googleslides] shortcode usage, particularly checking userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed attributes for injected脚本
  • Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS payloads
  • Restrict contributor and author role permissions where possible, or implement additional content review workflows for users with post creation capabilities
  • Apply WordPress core automatic updates and maintain plugin inventory to detect vulnerable versions
  • Consider Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute patterns

Evidence notes

Vulnerability confirmed via Wordfence security advisory with direct source code references to the affected googleslides_handler() function at lines 39 and 52 of init.php in version 1.3. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as primary weakness.

Official resources

2026-05-27