Social Slider Feed < 2.0.6 – Admin+ Stored XSS via API Key | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Put the following payload in the YT API Key settings (/wp-admin/admin.php?page=settings-wisw): a"><svg/onload=alert(/XSS/)>

The XSS will be triggered when viewing the Profile Dashboard (wp-admin/admin.php?page=settings-wisw)

Affects Plugins

instagram-slider-widget

Fixed in 2.0.6

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

34ea4e55-01f6-42b7-a711-1114b221cfd1

Timeline

Publicly Published

2022-08-02 (about 3 years ago)

Added

2022-08-02 (about 3 years ago)

Last Updated

2022-08-02 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Quick Paypal Payments 3.0 - Payment Sending Multiple Parameter XSS

Published

2021-09-09

Title

Feedify Web Push Notifications < 2.1.9 - Reflected Cross-Site Scripting

Published

2021-09-09

Title

Notices <= 6.1 - Reflected Cross-Site Scripting

Published

2026-01-16

Title

Quote Master <= 7.1.1 - Reflected Cross-Site Scripting

Published

2023-10-29

Title

Bellows Accordion Menu < 1.4.3 - Contributor+ Stored Cross-Site Scripting