WordPress Plugin Vulnerabilities

Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds

Description

The plugin does not have authorisation and CSRF check in place when adding and editing a Feed, and does not sanitise as well as escape user input. As a result, users with a role as low as subscriber could add arbitrary feeds, with Stored Cross-Site Scripting payloads in them.

Proof of Concept

Affects Plugins

Plugin icon
instagram-slider-widget
Fixed in 2.0.5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
24ab2998-9faf-46ca-9a80-f78136653da0

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-01 (about 3 years ago)
Last Updated
2022-08-01 (about 3 years ago)

Other

Published
Title
Published
2024-10-25
Title
Cozy Blocks < 2.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-09
Title
Easy Social Share Buttons <= 1.4.5 - Reflected Cross-Site Scripting
Published
2022-04-12
Title
Themify - Post Type Builder Search Addon < 1.4.0 - Reflected Cross-Site Scripting
Published
2023-10-02
Title
WWM Social Share On Image Hover <= 2.2 - Admin+ Stored XSS
Published
2023-04-14
Title
Affiliate Links Lite < 2.7 - Contributor+ Stored XSS