Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : June 4, 2026

CVE-2026-9022: Splide Carousel Block <= 1.7.1 Authenticated (Contributor+) Stored Cross-Site Scripting via 'url' Block Attribute PoC, Patch Analysis & Rule

CVE ID CVE-2026-9022
Plugin splide-carousel
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 1.7.1
Patched Version 1.7.2
Disclosed May 25, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9022:

This vulnerability allows authenticated attackers with contributor-level access or higher to inject stored cross-site scripting (XSS) payloads via the ‘url’ block attribute in the Splide Carousel Block plugin for WordPress, versions up to and including 1.7.1. The insufficient input sanitization and output escaping of this block attribute enables malicious scripts to be stored in WordPress posts or pages and executed when any user views the compromised content.

The root cause lies in the block editor’s handling of the ‘url’ attribute within carousel item blocks. The plugin registers a custom block (carousel-item) that accepts a ‘url’ parameter, presumably for linking images to external destinations. In the vulnerable version, this parameter is passed directly to the block’s render output without undergoing WordPress’s built-in escaping functions such as esc_url() or wp_kses(). The JavaScript render callback in the built block files (carousel-item/index.asset.php, carousel/index.asset.php) does not sanitize the URL attribute before inserting it into the DOM. The version hash change in these asset files confirms the JavaScript source was modified to address the issue.

To exploit this vulnerability, an attacker with contributor privileges creates or edits a post containing the Splide Carousel block. Within a carousel item, the attacker sets the ‘url’ attribute to a malicious JavaScript payload, such as javascript:alert(document.cookie) or a string containing event handlers like ” onerror=alert(1)”. The attacker can also use data: URIs or encoded JavaScript. The crafted post is saved but only becomes executable after an editor or administrator publishes it. When a site visitor loads the published page, the unsanitized URL attribute is rendered into the HTML, and the browser executes the injected script.

The patch updates the plugin from version 1.7.1 to 1.7.2, as seen in splide-carousel.php. The build asset files (carousel-item/index.asset.php, carousel/index.asset.php, carousel/view.asset.php) all receive new version hashes, indicating that the compiled JavaScript/React code was rebuilt. The fix applies proper output escaping to the ‘url’ attribute during block rendering, likely using esc_url() and wp_kses_post() to neutralize XSS payloads. Before the patch, the URL value was rendered raw; after the patch, it is sanitized, preventing JavaScript from executing.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user viewing the injected page. This can lead to session hijacking, credential theft, defacement, redirection to malicious sites, or further attacks like keylogging or phishing. Because the XSS is stored and persists, every visitor to the compromised page is affected, making this a high-impact vulnerability that requires minimal privileges to create but maximum privileges to activate.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/splide-carousel/build/carousel-item/index.asset.php
+++ b/splide-carousel/build/carousel-item/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-keycodes', 'wp-primitives', 'wp-url'), 'version' => 'dc0606dbf412a3af4549');
+<?php return array('dependencies' => array('react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-keycodes', 'wp-primitives', 'wp-url'), 'version' => '56f3e99655c463beb88d');
--- a/splide-carousel/build/carousel/index.asset.php
+++ b/splide-carousel/build/carousel/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react-jsx-runtime', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-notices'), 'version' => '51deb1d6947788b25af6');
+<?php return array('dependencies' => array('lodash', 'react-jsx-runtime', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-notices'), 'version' => 'e8fd1be94de72804e90b');
--- a/splide-carousel/build/carousel/view.asset.php
+++ b/splide-carousel/build/carousel/view.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => 'cded92bca445d1928823');
+<?php return array('dependencies' => array(), 'version' => 'a5341ece28685141e981');
--- a/splide-carousel/splide-carousel.php
+++ b/splide-carousel/splide-carousel.php
@@ -4,7 +4,7 @@
  * Description:       Carousel block
  * Requires at least: 6.5
  * Requires PHP:      7.0
- * Version:           1.7.1
+ * Version:           1.7.2
  * Author:            CloudCatch LLC
  * Author URI:        https://cloudcatch.io
  * License:           MIT

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School