CVE-2026-6672

Name of the Vulnerable Software and Affected Versions SliceWP Affiliates versions prior to 1.2.8

Description The SliceWP Affiliates plugin for WordPress contains a stored cross-site scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because of insufficient input sanitization and output escaping of user-supplied attributes within the 'slicewp affiliate url' shortcode. These scripts execute whenever a user visits the affected page.

Recommendations Update the plugin to a version later than 1.2.7. As a temporary workaround, restrict the use of the 'slicewp affiliate url' shortcode to trusted users with higher privilege levels.