WordPress Plugin Vulnerabilities

Post Carousel Slider for Elementor < 1.6.0 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
post-carousel-slider-for-elementor
Fixed in 1.6.0

References

CVE
CVE-2024-53749
URL
https://patchstack.com/database/wordpress/plugin/post-carousel-slider-for-elementor/vulnerability/wordpress-post-carousel-slider-for-elementor-plugin-1-4-0-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
ghsinfosec
Verified
No
WPVDB ID
3e09b041-1c08-4418-8f72-32cfc9f95284

Timeline

Publicly Published
2024-11-28 (about 1 year ago)
Added
2024-12-05 (about 1 year ago)
Last Updated
2025-04-29 (about 10 months ago)

Other

Published
Title
Published
2024-09-30
Title
WP-WebAuthn < 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-02-19
Title
ProfilePress < 4.15.0 - Unauthenticated Stored XSS
Published
2023-01-20
Title
Quick Event Manager < 9.7.5 - Unauthenticated Stored XSS
Published
2025-01-16
Title
melascrivi-plugin <= 1.4 - Reflected Cross-Site Scripting
Published
2023-10-09
Title
Slick Contact Forms <= 1.3.7 - Contributor+ Stored XSS