MEDIUM
dkjensen
CVE published 2026-05-27
CVE-2026-9022
The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'url' Block Attribute in all versions up to and including 1.7.1. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute when users access injected pages. The payload req [truncated]