CVE-2026-1613 identifies a stored cross-site scripting (XSS) vulnerability in the Wonka Slide plugin for WordPress, specifically affecting all versions up to and including 1.3.3. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'list_class' shortcode attribute. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on their behalf. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's popularity. The lack of output escaping and input validation highlights a common security oversight in plugin development, emphasizing the need for secure coding practices. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. The plugin developer has not yet released a patch, so users must apply workarounds or restrict access until a fix is available.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and editors. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For organizations relying on the Wonka Slide plugin, this could result in reputational damage, loss of user trust, and potential regulatory consequences if sensitive data is exposed. Since the attack requires authenticated access, the threat is somewhat mitigated by proper user management; however, many WordPress sites grant contributor or higher roles to multiple users, increasing risk. The vulnerability does not affect system availability directly but can be leveraged as a foothold for further attacks. Given WordPress's global popularity, the scope of affected systems is broad, especially for sites using this specific plugin. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

1. Immediately restrict contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content that utilizes the 'list_class' shortcode for suspicious or unexpected code. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the plugin's shortcode parameters. 4. Encourage the plugin developer to release a security patch that properly sanitizes and escapes all user inputs and outputs related to the shortcode. 5. Until a patch is available, consider disabling or removing the Wonka Slide plugin if it is not critical to site functionality. 6. Educate site administrators and contributors on secure content creation practices and the risks of injecting untrusted code. 7. Regularly update WordPress core, themes, and plugins to reduce exposure to known vulnerabilities. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 9. Conduct periodic security scans to detect stored XSS and other vulnerabilities within the site content.