CVE-2026-8866 is a stored cross-site scripting vulnerability in the bradyholt jQuery googleslides WordPress plugin (up to version 1.3). The vulnerability exists because the googleslides_handler() function fails to properly sanitize and escape user-supplied shortcode attributes such as userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed. These attribute values are directly inserted into single-quoted HTML attributes without using esc_attr(), allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. This code executes in the context of any user who views the compromised page, potentially leading to session hijacking or other client-side attacks. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity) with network attack vector, low attack complexity, and privileges required at the contributor level.

An attacker with contributor-level or higher privileges can inject persistent malicious scripts into pages via shortcode attributes, which execute in the browsers of users who view those pages. This can lead to information disclosure such as session tokens or other client-side impacts. The vulnerability does not affect availability and requires authenticated access, limiting its scope. There are no known exploits in the wild at this time.

No official patch or remediation is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. As a temporary mitigation, restrict contributor-level access to trusted users only and consider disabling or removing the jQuery googleslides plugin until a fix is released. Avoid using the vulnerable shortcode attributes with untrusted input. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.