CVE-2026-4076

Name of the Vulnerable Software and Affected Versions Slider Bootstrap Carousel versions prior to 1.0.8

Description Stored Cross-Site Scripting is possible due to insufficient input sanitization and output escaping of user-supplied shortcode attributes. The plugin uses the extract() function on shortcode atts() to parse attributes, allowing the category variable to be output directly into HTML attributes (id, data-target, href) and the template variable to be output into a class attribute without proper escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages that execute when accessed by other users.

Recommendations Update to a version later than 1.0.7. As a temporary workaround, restrict the use of the category and template attributes in shortcodes to users with higher administrative privileges.