{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1899", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T14:47:53.157Z", "datePublished": "2026-03-21T03:26:47.428Z", "dateUpdated": "2026-04-08T16:53:38.385Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:38.385Z"}, "affected": [{"vendor": "itpathsolutions", "product": "Any Post Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/562f194f-1f32-4de4-8074-84580f653bdb?source=cve"}, {"url": "https://wordpress.org/plugins/any-post-slider"}, {"url": "https://plugins.trac.wordpress.org/browser/any-post-slider/trunk/public/partials/any-post-slider-no_content.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/any-post-slider/tags/1.0.4/public/partials/any-post-slider-no_content.php#L3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-03-20T15:13:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:41.011922Z", "id": "CVE-2026-1899", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:54:39.693Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1899", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:41.011922Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:42.025Z"}}], "cna": {"title": "Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "itpathsolutions", "product": "Any Post Slider", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:13:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/562f194f-1f32-4de4-8074-84580f653bdb?source=cve"}, {"url": "https://wordpress.org/plugins/any-post-slider"}, {"url": "https://plugins.trac.wordpress.org/browser/any-post-slider/trunk/public/partials/any-post-slider-no_content.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/any-post-slider/tags/1.0.4/public/partials/any-post-slider-no_content.php#L3"}], "descriptions": [{"lang": "en", "value": "The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:47.428Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1899", "state": "PUBLISHED", "dateUpdated": "2026-03-23T15:54:39.693Z", "dateReserved": "2026-02-04T14:47:53.157Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:47.428Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Any Post Slider para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'aps_slider' del plugin en todas las versiones hasta la 1.0.4, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en el atributo 'post_type'. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1899", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:56.067", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/any-post-slider/tags/1.0.4/public/partials/any-post-slider-no_content.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/any-post-slider/trunk/public/partials/any-post-slider-no_content.php#L3"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/any-post-slider"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/562f194f-1f32-4de4-8074-84580f653bdb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Any Post Slider", "source": "cna", "vendor": "itpathsolutions"}, "product": "any_post_slider", "vendor": "itpathsolutions"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:24:05.798386+00:00", "value": {"mitigation_remediation": ["Upgrade the Any Post Slider plugin to a version newer than 1.0.4 or to the latest release.", "If an update is not immediately available, remove or deactivate the plugin to prevent further exploitation.", "Restrict Contributor or higher roles to trusted users, or else enforce least\u2011privilege access on the WordPress site.", "Monitor site content for unexpected script insertion and review logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any Post Slider plugin from vendor itpathsolutions, versions up to and including 1.0.4 are affected.", "description_and_impact": "The vulnerability allows an authenticated contributor or higher to embed arbitrary scripts into the slider shortcode, resulting in script execution for visitors to the injected page. This can lead to defacement, cookie theft, or other malicious actions that compromise confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity while the lack of an EPSS score does not quantify exploit probability; the vulnerability is not listed in the KEV catalog. Attackers need only authenticated access with Contributor level or higher and the ability to add or edit slider shortcodes. Once an affected shortcode is stored, the injected script executes in the browsers of any user who views the page containing that slider."}}}}, "created": "2026-03-23T09:50:37.782942+00:00", "updated": "2026-03-25T14:42:10.487585+00:00", "vendors": ["itpathsolutions", "itpathsolutions$PRODUCT$any_post_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}