How is CVE-2026-42653 exploited?

Network reachability (required): The attacker submits the malicious payload over the network to the vulnerable WordPress installation, so the service must be reachable from the attacker's position. Authentication (not-required): No account or credentials are needed to inject the stored payload; the vulnerable input accepts unauthenticated submissions. Victim interaction (required): A logged-in or anonymous user must load the page containing the stored payload for the injected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions.

What is the impact of CVE-2026-42653?

An attacker's injected script runs in the victim's browser session, giving access to session cookies and authentication tokens for the affected WordPress site. Page content visible to the victim can be modified or replaced, enabling phishing lures or redirection to attacker-controlled sites. The injected script can perform actions on the WordPress site on behalf of the victim, including modifying settings or submitting forms, depending on the victim's privilege level. The script can interfere with page rendering and disrupt the user's interaction with the affected application.

Back to search

HIGHCVE-2026-42653Published 2026-06-11Modified 2026-06-12CNA Patchstack

CVE-2026-42653: WordPress SliceWP plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42653?

Stored cross-site scripting (XSS) vulnerability in the SliceWP WordPress plugin (versions up to and including 1.2.6) allows an unauthenticated attacker to inject malicious scripts via the network that are then saved and later executed in the browsers of users who view the affected content. No authentication is required to submit the malicious payload, but a victim must load the affected page for the injected script to run. Successful exploitation gives the attacker the ability to read data from the victim's session, modify page content, and disrupt the user's experience within the affected application. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-42653 patched?

Because no upstream fix version has been published for CVE-2026-42653, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment iova.Mihai ships a remediated release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) vulnerability in the SliceWP WordPress plugin (versions up to and including 1.2.6) allows an unauthenticated attacker to inject malicious scripts via the network that are then saved and later executed in the browsers of users who view the affected content. No authentication is required to submit the malicious payload, but a victim must load the affected page for the injected script to run. Successful exploitation gives the attacker the ability to read data from the victim's session, modify page content, and disrupt the user's experience within the affected application. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-42653 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the SliceWP plugin. Any image at or below SliceWP 1.2.6 is flagged automatically.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.1 (HIGH), weighted against each customer's configured compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-42653, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment iova.Mihai ships a remediated release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker submits the malicious payload over the network to the vulnerable WordPress installation, so the service must be reachable from the attacker's position.
AuthenticationNot required
No account or credentials are needed to inject the stored payload; the vulnerable input accepts unauthenticated submissions.
Victim interactionRequired
A logged-in or anonymous user must load the page containing the stored payload for the injected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions.

Blast Radius

An attacker's injected script runs in the victim's browser session, giving access to session cookies and authentication tokens for the affected WordPress site.
Page content visible to the victim can be modified or replaced, enabling phishing lures or redirection to attacker-controlled sites.
The injected script can perform actions on the WordPress site on behalf of the victim, including modifying settings or submitting forms, depending on the victim's privilege level.
The script can interfere with page rendering and disrupt the user's interaction with the affected application.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged against any scanned image that bundles SliceWP at version 1.2.6 or earlier, with a severity rating of HIGH (CVSS 7.1) applied automatically. Because no fix version exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle. The moment an upstream patch is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, that triggers a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict which endpoints can submit data to the SliceWP input surface, egress filtering to limit what a successful XSS payload can reach, and disabling or removing the SliceWP plugin from images where affiliate tracking functionality is not required.

See how HarborGuard automates this

Affected packages

iova.mihai / SliceWP
≤ 1.2.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified