WordPress Plugin Vulnerabilities

Master Slider < 2.8.0 - Reflected Cross-Site Scripting (XSS)

Description

The Master Slider – Responsive Touch Slider WordPress plugin was affected by a Reflected Cross-Site Scripting (XSS) security vulnerability. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website/page.

Proof of Concept

Affects Plugins

Plugin icon
master-slider
Fixed in 2.8.0

References

URL
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_master_slider_wordpress_plugin.html
URL
https://seclists.org/fulldisclosure/2016/Jul/27

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
329d4abe-b62d-4bff-82d5-cae8ca994c22

Timeline

Publicly Published
2016-07-13 (about 9 years ago)
Added
2016-07-13 (about 9 years ago)
Last Updated
2021-03-31 (about 5 years ago)

Other

Published
Title
Published
2024-04-10
Title
Meta Slider < 3.70.1 - Contributor+ Stored Cross-Site Scripting via metaslider Shortcode
Published
2024-11-08
Title
Map Store Locator <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-30
Title
Include Fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-01
Title
Custom Word Cloud <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via angle Parameter
Published
2024-05-06
Title
WPCS ( WordPress Custom Search ) <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting