CVE-2026-9022 is a stored cross-site scripting vulnerability in the dkjensen Splide Carousel Block WordPress plugin affecting all versions up to 1.7.1. The issue stems from improper neutralization of input in the 'url' block attribute, enabling authenticated contributors or higher to inject malicious JavaScript code. The injected scripts execute in the context of site visitors when they view the published content. The vulnerability requires the injected content to be approved and published by an editor or administrator, limiting immediate exploitation. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required at the contributor level.

An attacker with contributor-level access can inject persistent malicious scripts into pages via the vulnerable 'url' attribute. These scripts execute in the browsers of users who visit the affected pages, potentially leading to theft of user data or session tokens, defacement, or other client-side impacts. The requirement for editorial approval before publication reduces the immediacy of exploitation but does not eliminate risk. There is no indication of impact on system availability or integrity beyond the injected content.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level permissions carefully and review all content submitted by contributors before publishing. Editors and administrators should be vigilant in approving content to prevent malicious scripts from being published. Avoid using the vulnerable plugin version or disable the affected functionality if possible.