CVE-2026-39507: WordPress Social Slider Feed plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A reflected or stored cross-site scripting (XSS) vulnerability exists in the Social Slider Feed WordPress plugin by Themeisle, affecting all versions up to and including 2.3.2. The flaw is reachable over the network and requires no authentication, but a victim must interact with a malicious link or page for the attack to succeed. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session hijacking, content tampering, and limited service disruption. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin.
AvailableHarborGuard is capable of scoring this CVE at 7.1 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to route alerts to the appropriate team inbox within the customer org.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker can reach it from the internet without any foothold on the host.
- AuthenticationNot required
No account or session credential is needed; the vulnerability is exploitable by an anonymous, unauthenticated request.
- Victim interactionRequired
A victim must follow a crafted link or visit a malicious page that triggers the injected script in their browser.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required to trigger the vulnerability.
Blast Radius
- An attacker executes arbitrary JavaScript in the victim's browser session, enabling theft of session tokens or authentication cookies.
- Injected script can read and exfiltrate page content visible to the victim, including any displayed customer or site data.
- The attacker can alter the rendered page content the victim sees, facilitating phishing or credential-harvesting within the trusted site origin.
- Browser-side resource abuse or redirects can degrade or disrupt the victim's interaction with the affected WordPress site.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images that bundle the Social Slider Feed plugin at version 2.3.2 or earlier. Because no upstream fix has been published, HarborGuard monitors the Patchstack advisory and vendor release feed on every ingest cycle. Where compliance policy permits, compensating controls can be applied in the interim: network-policy rules that restrict unauthenticated access to the affected plugin endpoints, egress filtering to limit exfiltration reach from injected scripts, and feature-flag or plugin-disablement options surfaced through HarborGuard's workload annotation workflow. The moment Themeisle publishes a patched release, HarborGuard will make a rebuilt image at the fix version available; for customers who opt into auto-remediation, that triggers a full rebuild, regression-test run, and a PR opened against affected workloads automatically.
- Themeisle / Social Slider Feed≤ 2.3.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L