Platform
wordpress
Component
ays-slider
Fixed in
2.7.2
CVE-2026-32494 describes a Cross-Site Scripting (XSS) vulnerability within the Ays Pro Image Slider plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages, potentially leading to session hijacking or defacement. The vulnerability impacts versions of the plugin from n/a up to and including 2.7.1. A patch has been released in version 2.7.2.
Successful exploitation of CVE-2026-32494 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content of the web page. The impact is particularly severe for websites with sensitive user data or those that rely on user authentication. Given the plugin's functionality (image slider), attackers could inject scripts into images or slider controls, making the attack subtle and difficult to detect. The incorrectly configured access controls are the root cause, allowing unauthorized script injection.
CVE-2026-32494 was publicly disclosed on 2026-03-25. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is advisable to prioritize patching this vulnerability, especially for websites handling sensitive data.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32494 is to upgrade the Ays Pro Image Slider plugin to version 2.7.2 or later. If upgrading is not immediately feasible, consider implementing stricter access control policies within the WordPress environment to limit the ability of unauthorized users to modify plugin settings. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly scan the WordPress installation for vulnerable plugins using security scanning tools.
Update to version 2.7.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32494 is a Cross-Site Scripting (XSS) vulnerability affecting the Ays Pro Image Slider plugin for WordPress, allowing attackers to inject malicious scripts.
You are affected if you are using Ays Pro Image Slider version 2.7.1 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Ays Pro Image Slider plugin to version 2.7.2 or later. This resolves the XSS vulnerability.
There are currently no confirmed reports of active exploitation, but the vulnerability poses a significant risk and should be patched promptly.
Refer to the Ays Pro Image Slider website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.