CVE-2026-8873 celloexpressions CVE debrief

Who should care

WordPress site administrators using the Content Slideshow plugin, security teams managing WordPress installations, and developers maintaining plugins with shortcode functionality

Technical summary

The Content Slideshow plugin for WordPress fails to properly sanitize and escape input within shortcode attributes, enabling stored XSS attacks. The vulnerability exists in slideshow-widget-shortcode.php at lines 14 and 143 in version 2.4.1. Authenticated users with contributor privileges or higher can exploit this to inject malicious scripts that persist in page content and execute in victims' browsers. The attack requires no user interaction beyond viewing the compromised page, and the CVSS scope metric indicates a changed scope (S:C) due to the ability to affect resources beyond the vulnerable component.

Defensive priority

medium

Recommended defensive actions

• Update the Content Slideshow plugin to a version newer than 2.4.1 when available
• Review and remove any suspicious shortcode content added by contributor-level users
• Implement Content Security Policy headers to mitigate XSS impact
• Consider restricting contributor permissions until patching is complete
• Monitor access logs for unusual shortcode modifications

Evidence notes

The vulnerability is documented in the NVD record with references to specific source code locations in the plugin's shortcode implementation. Wordfence security research identified the insufficient sanitization at lines 14 and 143 of slideshow-widget-shortcode.php in version 2.4.1. The CWE-79 classification confirms the XSS nature of the weakness.

Official resources