CVE-2026-1885 is a stored cross-site scripting vulnerability affecting the Slideshow Wp plugin for WordPress, specifically in all versions up to and including 1.1. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'sswpid' attribute of the 'sswp-slide' shortcode. Because of this, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability requires authentication but no user interaction beyond viewing the compromised page. The CVSS v3.1 score of 6.4 indicates a medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of improper input validation in WordPress plugins, especially those that allow user-generated content to be embedded in pages.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, defacing content, or performing actions on behalf of users. This can lead to unauthorized access, data leakage, or reputational damage. Although availability is not directly impacted, the indirect consequences of exploitation—such as loss of user trust or administrative control—can be significant. Organizations running websites with the Slideshow Wp plugin are at risk, especially if they allow contributor-level users or untrusted authors to create content. The vulnerability could be leveraged in targeted attacks against organizations relying on WordPress for public-facing or internal sites, particularly where user privileges are not tightly controlled.

To mitigate this vulnerability, organizations should first check if they are using the Slideshow Wp plugin and verify the version. Since no patch links are currently available, administrators should consider disabling or removing the plugin until a fixed version is released. Restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Implement web application firewalls (WAFs) with rules to detect and block suspicious shortcode attributes or script injections related to 'sswpid'. Regularly audit user-generated content for injected scripts or anomalies. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor logs for unusual activity or access patterns indicative of exploitation attempts. Finally, stay updated with vendor announcements for patches or updates addressing this vulnerability.