{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5694", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-06T12:24:13.396Z", "datePublished": "2026-04-15T07:45:30.201Z", "dateUpdated": "2026-04-15T15:51:43.593Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T07:45:30.201Z"}, "affected": [{"vendor": "aerin", "product": "Quick Interest Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Quick Interest Slider <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3ce37e7-1dca-4f74-86ce-65bf29ef091e?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1338"}, {"url": "http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1335"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chawabhon Netisingha"}], "timeline": [{"time": "2026-03-08T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-14T19:44:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:51:04.532315Z", "id": "CVE-2026-5694", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:51:43.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5694", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:51:04.532315Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:51:35.268Z"}}], "cna": {"title": "Quick Interest Slider <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Chawabhon Netisingha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "aerin", "product": "Quick Interest Slider", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-08T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-04-14T19:44:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3ce37e7-1dca-4f74-86ce-65bf29ef091e?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1338"}, {"url": "http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1335"}], "descriptions": [{"lang": "en", "value": "The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T07:45:30.201Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5694", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:51:43.593Z", "dateReserved": "2026-04-06T12:24:13.396Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T07:45:30.201Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-5694", "lastModified": "2026-04-15T09:16:33.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T09:16:33.370", "references": [{"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1335"}, {"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/browser/quick-interest-slider/tags/3.1.5/quick-interest-slider.php#L1338"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3ce37e7-1dca-4f74-86ce-65bf29ef091e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Quick Interest Slider", "source": "cna", "vendor": "aerin"}, "product": "quick_interest_slider", "vendor": "aerin"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T09:50:22.311550+00:00", "value": {"mitigation_remediation": ["Upgrade the Quick Interest Slider plugin to the latest released version that addresses the XSS flaw; if no newer version is available, uninstall or disable the plugin entirely.", "If the plugin must remain, sanitize the loan\u2011amount and loan\u2011period inputs on submit and escape all output before rendering the stored values.", "Run a web\u2011application scanner or review the database content to ensure no residual malicious scripts remain in the plugin\u2019s data."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw applies to all releases of Quick Interest Slider developed by aerin up to and including version 3.1.5. Any WordPress site that has one of those versions installed is affected.", "description_and_impact": "The Quick Interest Slider plugin for WordPress is vulnerable to stored cross\u2011site scripting because the loan\u2011amount and loan\u2011period parameters are stored without proper sanitization and output escaping. An unauthenticated attacker can insert arbitrary script payloads into these fields, which persist in the database and are later rendered when a user requests the page. When a victim visits that page, the injected script executes in the victim\u2019s browser context, giving the attacker the ability to run client\u2011side code.", "risk_and_exploitability": "The advisory provides a CVSS v3 base score of 7.2, indicating high severity. No EPSS score is supplied and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires no authentication; an attacker only needs to submit malicious input through the loan parameters and ensure that a user later views a page that processes and renders the stored data. Because the payload is executed in the browser of anyone who views the page, the risk is significant for any site that trusts the plugin\u2019s content rendering. The lack of exploitable models in public exploits means that the operational threat is theoretical, but the high CVSS and ease of exploitation warrant prompt mitigation."}}}}, "created": "2026-04-15T13:49:14.866471+00:00", "updated": "2026-04-15T14:53:24.770805+00:00", "vendors": ["aerin", "aerin$PRODUCT$quick_interest_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}