Slide Anything < 2.3.47 – Author+ Cross Site Scripting in slide title | CVE 2022-2413

Description

The plugin does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled.

An incomplete fix was introduced in version 2.3.46

Proof of Concept

Create new Slide where the tile is the XSS payload: ';alert(title);//'

The script then will be executed everywhere when the code is embedded.

Affects Plugins

slide-anything

Fixed in 2.3.47

References

CVE

CVE-2022-2413

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.5 (medium)

Miscellaneous

Original Researcher

Nhật Nam (or LacHa)

Submitter

nhatnam

Verified

Yes

WPVDB ID

2e38b1bb-4410-45e3-87ca-d47a2cce9e22

Timeline

Publicly Published

2022-07-14 (about 1 years ago)

Added

2022-07-14 (about 1 years ago)

Last Updated

2023-04-15 (about 1 years ago)

Other

Published

Title

Published

2020-04-29

Title

WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads

Published

2021-10-11

Title

WPSchoolPress < 2.1.17 - Multiple Admin+ Stored Cross-Site Scripting

Published

2023-11-13

Title

Chaty < 3.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Published

2023-02-13

Title

Resume Builder <= 3.1.1 - Subscriber+ Stored XSS

Published

2016-11-19

Title

Instagram Feed < 1.4.7 - Authenticated Cross-Site Scripting (XSS) & CSRF