## Overview
SliceWP developers released version 1.2.7 to address CVE-2026-42653. This high-severity stored cross-site scripting flaw exists in all SliceWP versions through 1.2.6. Attackers can inject malicious scripts that persistently execute when users view affected pages.
## Technical Details
The vulnerability stems from improper neutralization of user input during web page generation. Specifically, unvalidated input in the plugin's content management interface is stored without sanitization. Attackers craft malicious payloads via the interface, which are saved to the database. Subsequent page loads render these payloads in the browser context of authenticated users, bypassing same-origin policies.
## Impact
This stored XSS allows attackers to steal session cookies, deface sites, or redirect users to phishing pages. The flaw affects all SliceWP installations running versions before 1.2.7. No authentication is required to trigger the exploit via crafted content. Attackers could leverage this to compromise site administrators or inject malware into visitor sessions.
## Mitigation
Administrators must upgrade SliceWP to version 1.2.7 immediately. No workarounds are recommended. Verify the plugin version via the WordPress dashboard or `wp-cli plugin list`. Ensure all sites using SliceWP are updated. Monitor for exploitation attempts targeting the vulnerable input fields. The vendor confirmed the fix in 1.2.7 sanitizes all user-submitted content before storage and output.
CSURFACE Threat Sensor