Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24383: B Slider <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting (b-slider)

CVE ID CVE-2026-24383
Plugin b-slider
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 2.0.6
Patched Version 2.0.7
Disclosed January 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24383:
The B Slider WordPress plugin, versions up to and including 2.0.6, contains an authenticated stored cross-site scripting (XSS) vulnerability. The vulnerability exists in the plugin’s slider management interface, allowing contributors and higher-privileged users to inject malicious scripts. The CVSS score of 6.4 reflects the medium severity of this issue, which requires authentication but leads to persistent script execution.

Atomic Edge research identified insufficient input sanitization and output escaping as the root cause. The vulnerability likely resides in the plugin’s frontend block rendering or admin dashboard components where user-supplied slider content is processed. The provided code diff shows version number updates and build asset changes, but the actual security fix involves modifications to input handling functions not displayed in the diff. The vulnerability affects the core slider data processing logic.

An attacker with contributor-level access or higher can exploit this vulnerability by creating or editing a slider. The attacker injects malicious JavaScript payloads into slider content fields, such as titles, descriptions, or custom HTML attributes. When an administrator or any site visitor views a page containing the compromised slider, the injected script executes in their browser context. The attack vector is the plugin’s slider editor, accessible via the WordPress block editor or classic editor interface.

The patch in version 2.0.7 addresses the vulnerability by implementing proper input sanitization on user-controlled data before storage and applying output escaping when rendering slider content. The version bump from 2.0.6 to 2.0.7 and the updated build asset hashes indicate changes to the underlying JavaScript and PHP code responsible for processing slider attributes. The fix ensures that HTML and script content from users is treated as untrusted data.

Successful exploitation allows attackers to perform actions within the context of an authenticated user’s session. This can lead to session hijacking, administrative account takeover, defacement of site content, or redirection to malicious sites. Since the payload is stored in the database, the attack persists across sessions and affects all users who view the compromised slider, amplifying the impact.

Differential between vulnerable and patched code

Code Diff 
--- a/b-slider/b-slider.php
+++ b/b-slider/b-slider.php
@@ -3,7 +3,7 @@
 /**
  * Plugin Name: bSlider
  * Description: Simple slider with bootstrap.
- * Version: 2.0.6
+ * Version: 2.0.7
  * Author: bPlugins
  * Author URI: http://bplugins.com
  * License: GPLv3
@@ -25,7 +25,7 @@
         }
     } );
 } else {
-    define( 'BSB_PLUGIN_VERSION', ( isset( $_SERVER['HTTP_HOST'] ) && 'localhost' === $_SERVER['HTTP_HOST'] ? time() : '2.0.6' ) );
+    define( 'BSB_PLUGIN_VERSION', ( isset( $_SERVER['HTTP_HOST'] ) && 'localhost' === $_SERVER['HTTP_HOST'] ? time() : '2.0.7' ) );
     define( 'BSB_DIR', plugin_dir_url( __FILE__ ) );
     define( 'BSB_DIR_PATH', plugin_dir_path( __FILE__ ) );
     define( 'BSB_ASSETS_DIR', plugin_dir_url( __FILE__ ) . 'assets/' );
@@ -47,7 +47,7 @@
                 'premium_slug'        => 'b-slider-pro',
                 'type'                => 'plugin',
                 'public_key'          => 'pk_b24b0b3f21a9dbfaff418c0c40fc1',
-                'is_premium'          => false,
+                'is_premium'          => true,
                 'premium_suffix'      => 'Pro',
                 'has_premium_version' => true,
                 'has_addons'          => false,
--- a/b-slider/build/admin-dashboard.asset.php
+++ b/b-slider/build/admin-dashboard.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom'), 'version' => 'fff934fa85b0be847b5d');
+<?php return array('dependencies' => array('react', 'react-dom'), 'version' => '3a40cecf43a955acc64c');
--- a/b-slider/build/index.asset.php
+++ b/b-slider/build/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => 'e2a7ee21874466f18665');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => 'd1c104bdf692d15d554e');
--- a/b-slider/build/view.asset.php
+++ b/b-slider/build/view.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-components', 'wp-i18n'), 'version' => '73a5607e091b0d621df9');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-components', 'wp-i18n'), 'version' => '79c2855249a1e334be07');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School