Atomic Edge analysis of CVE-2026-5767 (metadata-based): This vulnerability affects the SlideShowPro SC plugin for WordPress versions up to 1.0.2. It is a Stored Cross-Site Scripting (XSS) vulnerability with a CVSS score of 6.4 (medium severity). The attack vector allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via the plugin’s `slideShowProSC` shortcode.
The root cause is insufficient input sanitization and output escaping on user-supplied attributes passed to the `slideShowProSC` shortcode. This is a CWE-79 (Cross-site Scripting) vulnerability. Based on the description and CWE classification, Atomic Edge research infers that the plugin likely registers a WordPress shortcode that accepts an ‘album’ attribute (and possibly others). The shortcode handler probably retrieves the attribute value and inserts it directly into HTML output without calling `esc_attr()` or `wp_kses()` or other sanitization functions. The lack of patched versions confirms this is a known, unaddressed flaw.
To exploit this vulnerability, an attacker with contributor-level WordPress permissions creates or edits a post/page and inserts the `[slideShowProSC album=”alert(‘XSS’)”]` shortcode. The attacker sets the ‘album’ attribute (or another user-supplied attribute) to contain malicious JavaScript. When the post is viewed, WordPress processes the shortcode and the plugin outputs the unsanitized attribute value into the page HTML, causing the script to execute in the victim’s browser. The specific attack vector is through the WordPress post editor; no AJAX or REST endpoint is required beyond the standard shortcode rendering.
Remediation requires the plugin developers to properly sanitize and escape user-supplied attributes. The shortcode handler should use `esc_attr()` for HTML attribute output and `wp_kses()` or similar for content. Input should be validated to allow only expected values (e.g., numeric IDs for album). Since no patched version exists, site administrators should either disable the plugin or use a virtual patch such as a WAF rule to block malicious attribute patterns.
The impact of successful exploitation is that an attacker can execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, data theft (cookies, CSRF tokens), defacement, or redirection to malicious sites. The attack requires contributor-level authentication, which limits the pool of attackers but still presents significant risk for multi-author WordPress sites.
