PatchSiren cyber security CVE debrief
CVE-2026-9022 dkjensen CVE debrief
The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'url' Block Attribute in all versions up to and including 1.7.1. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute when users access injected pages. The payload requires publication by an editor or administrator before it executes for site visitors. The vulnerability was disclosed on 2026-05-27 with a CVSS 3.1 score of 6.4 (Medium severity). The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
- Vendor
- dkjensen
- Product
- Splide Carousel Block
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using Splide Carousel Block plugin; security teams managing WordPress content workflows; developers maintaining WordPress plugins with block-based architectures
Technical summary
The vulnerability exists in the 'url' Block Attribute handling within the Splide Carousel Block plugin. Insufficient sanitization on input and inadequate escaping on output allow JavaScript injection through the block's URL parameter. The attack requires authenticated access at contributor level or above, with the injected payload persisting in post content until published by a higher-privileged user. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low impacts to confidentiality and integrity.
Defensive priority
medium
Recommended defensive actions
- Update Splide Carousel Block plugin to version 1.7.2 or later
- Review and approve contributor-submitted content with heightened scrutiny for embedded scripts
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Consider restricting contributor permissions where plugin usage is not required
- Audit existing posts for suspicious 'url' attributes in Splide Carousel blocks
Evidence notes
Vulnerability confirmed via WordPress plugin repository source code analysis. References include specific file locations in the plugin build directory (carousel-item/index.js and carousel/view.js) and a changeset indicating remediation activity. Wordfence provided the primary advisory.
Official resources
2026-05-27