CVE-2026-0680 is a stored cross-site scripting (XSS) vulnerability identified in the Real Post Slider Lite plugin for WordPress, affecting all versions up to and including 2.4. The vulnerability arises from improper input sanitization and output escaping in the plugin's settings interface, enabling an authenticated attacker with administrator-level privileges to inject arbitrary JavaScript code into pages generated by the plugin. This malicious code is stored persistently and executed whenever any user accesses the compromised page. The vulnerability specifically impacts multi-site WordPress installations where the unfiltered_html capability is disabled, which restricts users from posting unfiltered HTML content. Exploitation requires high privileges (administrator access) and does not require user interaction beyond visiting the infected page. The CVSS v3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and limited confidentiality and integrity impacts without availability impact. No public exploits have been reported, and no patches are currently linked, indicating that remediation may require vendor updates or manual mitigations. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation, a common vector for XSS attacks. This vulnerability could be leveraged for session hijacking, defacement, or further privilege escalation within affected WordPress multi-site environments.

The primary impact of CVE-2026-0680 is the potential for attackers with administrator access to inject persistent malicious scripts into WordPress multi-site installations using the vulnerable Real Post Slider Lite plugin. This can lead to unauthorized actions such as session hijacking, theft of sensitive data, or execution of arbitrary actions on behalf of users who visit the infected pages. Although exploitation requires high privileges, the scope includes all users accessing the compromised pages, potentially affecting site administrators, editors, and visitors. The vulnerability does not affect availability but compromises confidentiality and integrity to a limited extent. Organizations running multi-site WordPress environments with this plugin are at risk of internal threat escalation and external attacks leveraging the injected scripts. The absence of known exploits reduces immediate risk, but the presence of the vulnerability in widely used CMS environments means it could be targeted in the future. The impact is more significant in environments where multiple sites share user bases and administrative roles, increasing the potential damage from a single injection point.

To mitigate CVE-2026-0680, organizations should first verify if they operate multi-site WordPress installations with the Real Post Slider Lite plugin installed and unfiltered_html disabled. Restrict administrator access strictly to trusted personnel to reduce the risk of malicious script injection. Monitor plugin settings and page content for unexpected or suspicious scripts. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly audit user privileges and review multi-site configurations to ensure minimal exposure. Since no official patch is currently available, consider temporarily disabling or removing the Real Post Slider Lite plugin in multi-site environments until a secure update is released. Engage with the plugin vendor or WordPress security community for updates and apply patches promptly once available. Additionally, educate administrators on secure plugin configuration and the risks of stored XSS in multi-site contexts. Employ web application firewalls (WAFs) with rules targeting XSS payloads as an additional protective layer.