{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0609", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-05T15:52:07.389Z", "datePublished": "2026-03-21T03:27:01.380Z", "dateUpdated": "2026-04-08T17:17:59.061Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:59.061Z"}, "affected": [{"vendor": "logichunt", "product": "Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo Slider Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b94f388a-c4af-4d3a-bd41-9b2d5d990672?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/logo-slider-wp/tags/4.9.0/public/class-logo-slider-wp-public.php?marks=309,314#L309"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-12-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-20T15:20:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:34.196961Z", "id": "CVE-2026-0609", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:54:14.768Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:34.196961Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:35.539Z"}}], "cna": {"title": "Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "logichunt", "product": "Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo Slider Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.9.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-20T15:20:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b94f388a-c4af-4d3a-bd41-9b2d5d990672?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/logo-slider-wp/tags/4.9.0/public/class-logo-slider-wp-public.php?marks=309,314#L309"}], "descriptions": [{"lang": "en", "value": "The Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:59.061Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0609", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:59.061Z", "dateReserved": "2026-01-05T15:52:07.389Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:01.380Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Logo Slider \u2013 Logo Carousel, Logo Showcase &amp; Client Logo Slider Plugin para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del texto alternativo de la imagen en todas las versiones hasta la 4.9.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en el shortcode 'logo-slider'. Esto hace posible que atacantes autenticados, con acceso de nivel de autor o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-0609", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:51.497", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/logo-slider-wp/tags/4.9.0/public/class-logo-slider-wp-public.php?marks=309,314#L309"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b94f388a-c4af-4d3a-bd41-9b2d5d990672?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.9.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo Slider Plugin", "source": "cna", "vendor": "logichunt"}, "product": "logo_slider_\u2013_logo_carousel,_logo_showcase_&_client_logo_slider_plugin", "vendor": "logichunt"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:13:09.077902+00:00", "value": {"mitigation_remediation": ["Upgrade the Logichunt Logo Slider plugin to a version newer than 4.9.0", "Limit author\u2011level permissions to trusted users only", "If an upgrade cannot be applied immediately, temporarily remove or disable the 'logo-slider' shortcode from public\u2011facing pages"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that can execute arbitrary client\u2011side code"}, "threat_synthesis": {"affected_systems": "WordPress sites running Logichunt Logo Slider version 4.9.0 or earlier are affected. The flaw is present in every release up to and including 4.9.0.", "description_and_impact": "The Logichunt Logo Slider plugin is vulnerable to stored Cross\u2011Site Scripting via the image alt text within the 'logo-slider' shortcode. An attacker who can authenticate as an author or a higher level user can enter malicious script into the alt text field. When any user views a page containing the injected content, the script executes in that user\u2019s browser.", "risk_and_exploitability": "The CVSS score is 6.4, indicating moderate severity. The attacker must have author\u2011level or higher credentials to inject the payload, making internal attackers or compromised author accounts the primary threat vector. No EPSS data is available and the vulnerability is not listed in the KEV catalog, suggesting no widespread public exploitation yet, but any site that allows author\u2011level content creation remains at risk."}}}}, "created": "2026-03-23T09:50:03.119232+00:00", "updated": "2026-03-25T14:41:43.584115+00:00", "vendors": ["logichunt", "logichunt$PRODUCT$logo_slider_\u2013_logo_carousel,_logo_showcase_&_client_logo_slider_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}