PatchSiren cyber security CVE debrief
CVE-2026-42653 iova.mihai CVE debrief
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the SliceWP WordPress plugin. This issue, tracked as CVE-2026-42653, allows an attacker to inject malicious scripts into web pages, potentially leading to unauthorized actions or data theft. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
- Vendor
- iova.mihai
- Product
- SliceWP
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of the SliceWP WordPress plugin, particularly those with versions up to 1.2.6, should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by improper neutralization of input during web page generation, allowing an attacker to store malicious scripts. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
Defensive priority
HIGH
Recommended defensive actions
- Update the SliceWP plugin to a version that fixes the vulnerability.
- Review and monitor user-generated content for potential malicious scripts.
Evidence notes
The vulnerability was reported by [email protected] and is documented in the CVE-2026-42653 record on CVE.org and NVD.
Official resources
-
CVE-2026-42653 CVE record
CVE.org
-
CVE-2026-42653 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-42653 was published on 2026-06-11T22:16:56.573Z and modified on 2026-06-12T13:13:53.050Z.