PT-2026-37350 · WordPress · Slicewp Affiliates
Dj
+1
·
Published
2026-05-06
·
Updated
2026-05-06
·
CVE-2026-6672
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SliceWP Affiliates versions prior to 1.2.8
Description
The SliceWP Affiliates plugin for WordPress contains a stored cross-site scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because of insufficient input sanitization and output escaping of user-supplied attributes within the 'slicewp affiliate url' shortcode. These scripts execute whenever a user visits the affected page.
Recommendations
Update the plugin to a version later than 1.2.7.
As a temporary workaround, restrict the use of the 'slicewp affiliate url' shortcode to trusted users with higher privilege levels.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Slicewp Affiliates