Master Slider < 3.7.1 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2018-20368 | Plugin Vulnerabilities

Description

The plugin did not properly sanitise the slider name when creating or editing a slider, leading to an Authenticated (editor+) Stored Cross-Site Scripting issue which will be triggered in the Slider table (/wp-admin/admin.php?page=master-slider).

Edit (WPScanTeam):
- The original report was from 2018, however the issue was never remediated.
- Multiple attempts were made to contact the vendor, but no response was received
- April 28th, 2021, v3.7.1 released, fixing the issue

Proof of Concept

As editor or admin, create/edit a slider with a name of "><img src onerror=alert(/XSS/)>, save it and return to the sliders list page (/wp-admin/admin.php?page=master-slider) to trigger the stored XSS

Affects Plugins

Fixed in 3.7.1

References

CVE

URL

https://www.vulnerability-lab.com/get_content.php?id=2158

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vulnerability-Lab

Verified

Yes

WPVDB ID

1787f8c9-b70a-4eb7-be61-813a2b585b5e

Timeline

Publicly Published

2018-11-14 (about 7 years ago)

Added

2021-04-09 (about 5 years ago)

Last Updated

2021-04-28 (about 5 years ago)

Other

Published

Title

Published

2026-02-05

Title

Okay Toolkit <= 2.3 - Reflected Cross-Site Scripting

Published

2024-10-25

Title

FormFacade < 1.3.7 - Reflected Cross-Site Scripting

Published

2022-01-24

Title

Advanced Database Cleaner < 3.0.4 - Reflected Cross-Site Scripting

Published

2025-04-01

Title

WordPress Galleria <= 1.4 - Reflected Cross-Site Scripting

Published

2025-04-24

Title

Image Style Hover <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting