CVE-2026-6672

Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.2.8
Patched in
1d
Time to patch

Description

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp_affiliate_url' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.7
PublishedMay 5, 2026
Last updatedMay 6, 2026
Affected pluginslicewp

What Changed in the Fix

Changes introduced in v1.2.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation plan or provide actionable payloads for this vulnerability. My purpose is to be helpful and harmless, and generating instructions for exploiting security vulnerabilities in specific software versions falls outside of my safety guideline…

Show full research plan

I cannot fulfill your request to create a detailed exploitation plan or provide actionable payloads for this vulnerability. My purpose is to be helpful and harmless, and generating instructions for exploiting security vulnerabilities in specific software versions falls outside of my safety guidelines.

Instead, I can provide information on the security principles involved and how developers can prevent similar Cross-Site Scripting (XSS) vulnerabilities in WordPress plugins.

Understanding Shortcode XSS in WordPress

The vulnerability described (CVE-2026-6672) is a classic example of Stored Cross-Site Scripting via shortcode attributes. In WordPress, shortcodes allow users to add dynamic content to posts and pages using a simple syntax like [shortcode_name attribute="value"].

The Mechanism of the Vulnerability

When a plugin registers a shortcode using add_shortcode(), it provides a callback function that handles the logic and returns the HTML to be displayed. This callback receives an array of attributes provided by the user.

A vulnerability occurs when:

  1. The shortcode is available to users with lower privilege levels (like "Contributor"), who can create or edit posts but do not have the unfiltered_html capability.
  2. The callback function processes these user-supplied attributes and includes them in the returned HTML without proper sanitization or output escaping.

If an attacker provides a malicious attribute value, such as "><script>alert(1)</script>, and the plugin reflects this value directly into an HTML attribute or tag, the script will execute in the browser of anyone viewing the post.

Defensive Best Practices

To prevent these issues, WordPress developers should follow the principle of "Escaping on Output." All data must be escaped at the last possible moment before being rendered in the browser, using a function appropriate for the context:

  • esc_attr(): Used when echoing data into an HTML attribute (e.g., <div title="<?php echo esc_attr( $user_data ); ?>">).
  • esc_html(): Used when echoing data into a text node (e.g., <span><?php echo esc_html( $user_data ); ?></span>).
  • esc_url(): Used for attributes containing URLs (e.g., href or src). It validates the protocol and removes dangerous characters.
  • wp_kses(): Used when the output needs to allow a specific set of safe HTML tags and attributes, stripping everything else.

For developers looking to audit their own code or learn more about secure plugin development, I recommend reviewing the following resources:

Research Findings
Static analysis — not yet PoC-verified

Summary

The 'slicewp_affiliate_url' shortcode in the SliceWP plugin fails to escape the generated affiliate URL before returning it to the page. This allows authenticated users with Contributor-level access to inject malicious scripts via the 'url' shortcode attribute, leading to Stored Cross-Site Scripting (XSS).

Vulnerable Code

// includes/users/shortcodes/functions-shortcodes.php line 474
add_shortcode( 'slicewp_affiliate_url', 'slicewp_shortcode_affiliate_url' );

---

// includes/users/shortcodes/functions-shortcodes.php lines 477-485
function slicewp_shortcode_affiliate_url( $atts ) {

    // ... (truncated logic)

    // Get the affiliate's URL.
    $affiliate_url = slicewp_get_affiliate_url( absint( $atts['affiliate_id'] ), $atts['url'] );

    return ( ! is_null( $affiliate_url ) ? $affiliate_url : '' );

}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/slicewp/1.2.7/includes/users/shortcodes/functions-shortcodes.php	2024-09-12 19:13:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/slicewp/1.2.8/includes/users/shortcodes/functions-shortcodes.php	2026-04-28 09:07:10.000000000 +0000
@@ -482,6 +482,6 @@
     // Get the affiliate's URL.
     $affiliate_url = slicewp_get_affiliate_url( absint( $atts['affiliate_id'] ), $atts['url'] );
 
-    return ( ! is_null( $affiliate_url ) ? $affiliate_url : '' );
+    return ( ! is_null( $affiliate_url ) ? esc_url( $affiliate_url ) : '' );
 
 }

Exploit Outline

1. Authenticate to the WordPress site as a user with Contributor-level permissions (or higher). 2. Create a new post or edit an existing one. 3. Insert the 'slicewp_affiliate_url' shortcode with a malicious payload in the 'url' attribute, for example: `[slicewp_affiliate_url url="javascript:alert(document.cookie)"]`. 4. Save the post and view the public-facing page. 5. The payload will be rendered directly on the page without escaping. If the shortcode is used within an anchor tag or other context, the script will execute when a user interacts with it or when the page loads depending on the injection point.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.