CVE-2026-4076 describes a stored cross-site scripting vulnerability in the Slider Bootstrap Carousel plugin for WordPress (versions up to 1.0.7). The issue stems from insufficient input sanitization and output escaping of the 'category' and 'template' shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then outputs the $category variable into multiple HTML attributes (id, data-target, href) and the $template variable into a class attribute without applying esc_attr(). This allows authenticated attackers with Contributor-level permissions or higher to inject arbitrary JavaScript that executes in the context of users viewing the affected pages.

Successful exploitation allows an authenticated user with Contributor-level access or above to inject stored malicious scripts into pages using the vulnerable shortcode attributes. These scripts execute in the browsers of users who view the injected pages, potentially leading to session hijacking, defacement, or other client-side attacks. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and impact on confidentiality and integrity but not availability.

No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict Contributor-level access to trusted users only and consider disabling or removing the Slider Bootstrap Carousel plugin if possible. Monitor for updates from the vendor and apply any official fixes promptly once available.