CVE-2026-9022 Stored XSS in WordPress Splide Carousel Block Plugin

Vulnerability Overview Vulnerability Name: Splide Carousel Block <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'url' Block Attribute CVE ID: CVE-2026-9022 CVSS Score: 6.4 (Medium) Publication Date: May 26, 2026 Last Updated Date: May 27, 2026 Researcher: ZASTAI - ZASTAI Affected Scope Software Type: Plugin Software Name: splide-carousel Affected Versions: <= 1.7.1 Fixed Version: 1.7.2 Remediation Remediation Advice: Update to version 1.7.2 or a newer patched version. Vulnerability Description The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' block attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published for execution to occur when viewed by site visitors, which requires an Editor or Administrator to approve and publish the Contributor's post. Reference Links plugins.trac.wordpress.org plugins.trac.wordpress.org Additional Information Disclaimer: This record contains copyrighted material. Copyright Notice: - 2012-2026 Defiant Inc. - 1999-2026 The MITRE Corporation Contact Information Technical Support: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7/365 support with a 1-hour response time. Social Media Facebook: Facebook Twitter: Twitter LinkedIn: LinkedIn Email: Email Footer Information Terms of Service: Terms of Service Privacy Policy and Notice at Collection: Privacy Policy Do Not Sell or Share My Personal Information: Do Not Sell or Share My Personal Information Subscription Subscribe to News: Sign Up Copyright © 2012-2026 Defiant Inc. All Rights Reserved Other Links Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Social Media Icons X: X Facebook: Facebook LinkedIn: LinkedIn Instagram: Instagram Subscription Form Email: you@example.com Agree to Terms: By checking this box I agree to the terms of service and privacy policy Subscription Button Sign Up: Sign Up Copyright Information © 2012-2026 Defiant Inc. All Rights Reserved Other Links Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Social Media Icons X: X Facebook: Facebook LinkedIn: LinkedIn Instagram: Instagram Subscription Form Email: you@example.com Agree to Terms: By checking this box I agree to the terms of service and privacy policy Subscription Button Sign Up: Sign Up Copyright Information © 2012-2026 Defiant Inc. All Rights Reserved Other Links Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Social Media Icons X: X Facebook: Facebook LinkedIn: LinkedIn Instagram: Instagram Subscription Form Email: you@example.com Agree to Terms: By checking this box I agree to the terms of service and privacy policy Subscription Button Sign Up: Sign Up Copyright Information © 2012-2026 Defiant Inc. All Rights Reserved Other Links Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Social Media Icons X: X Facebook: Facebook LinkedIn: LinkedIn Instagram: Instagram Subscription Form Email: you@example.com Agree to Terms: By checking this box I agree to the terms of service and privacy policy Subscription Button Sign Up: Sign Up Copyright Information © 2012-2026 Defiant Inc. All Rights Reserved Other Links Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisorie

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-9022 Stored XSS in WordPress Splide Carousel Block Plugin

More from this source