cleantalk
Vulnerabilities and Security Researches

Simple SEO Slideshow, CVE-2026-8900

CVE, Research URL

CVE-2026-8900

Home page URL

Security reports for Simple SEO Slideshow

Application

Simple SEO Slideshow

Published on
Jun 06, 2026
Research Description
The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.
Affected versions
max 1.2.9.
Status
vulnerable
Previous vulnerability researches
Hippoo! (CVE-2025-12655) , Jan 11, 2026
Hippoo! (CVE-2025-13339) , Jan 11, 2026
Hippoo! (CVE-2026-10580) , Jun 08, 2026
New vulnerability
Hippoo! (CVE-2026-10580) , Jun 08, 2026
Simple SEO Slideshow (CVE-2026-8900) , Jun 08, 2026
LearnPress Export Import – WordPress extension for LearnPress (CVE-2026-7565) , Jun 08, 2026
LearnPress Export Import – WordPress extension for LearnPress (CVE-2026-7566) , Jun 08, 2026
Event Monster – Event Management, Tickets Booking, Upcoming Event (CVE-2026-8608) , Jun 08, 2026