WordPress Plugin Vulnerabilities

Smart Slider 3 < 3.5.1.23 - Contributor+ Stored XSS via SVG Upload

Description

The plugin does not properly validate that users calling its upload function are allowed to making it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks.

Affects Plugins

Plugin icon
smart-slider-3
Fixed in 3.5.1.23

References

CVE
CVE-2024-3027
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/915f464f-449d-4ad2-9f43-6ce5d93ccb05

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Christiaan Swiers (YouGina)
Verified
No
WPVDB ID
3a5bf592-42ef-413a-a32b-8d88413eafb9

Timeline

Publicly Published
2024-04-12 (about 1 year ago)
Added
2024-04-12 (about 1 year ago)
Last Updated
2024-04-12 (about 1 year ago)

Other

Published
Title
Published
2024-11-04
Title
Photo Gallery by 10Web < 1.8.31 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-10-24
Title
Watu Quiz < 3.4.5 - Unauthenticated Stored Cross-Site Scripting via HTTP Referer
Published
2026-01-07
Title
Real Estate Pro <= 2.1.4 - Reflected Cross-Site Scripting
Published
2025-02-02
Title
SW Plus <= 2.1 - Reflected Cross-Site Scripting
Published
2024-10-24
Title
Post Grid and Gutenberg Blocks < 2.2.94 - Authenticated (Contributor+) Stored Cross-Site Scripting