Stored Cross-Site Scripting in Slider Bootstrap Carousel Plugin for WordPress
CVE-2026-4076

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Slider Bootstrap Carousel
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-4076?

The Slider Bootstrap Carousel plugin for WordPress presents a vulnerability through insufficient input sanitization and output escaping in the 'category' and 'template' shortcode attributes. Authenticated attackers with Contributor-level access can exploit this weakness, allowing them to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the affected pages, posing significant risks to site integrity and user safety. The direct output of unsanitized user input into HTML attributes creates this critical security flaw that requires immediate attention.

Affected Version(s)

Slider Bootstrap Carousel 0 <= 1.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/slider-bootstr...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Gilang Asra Bilhadi

CVE-2026-4076 Data

JSON