WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

Create/edit a slider, put the following payload in the CSS settings and save: </textarea><svg/onload=prompt(/XSS/)>

The XSS will be triggered when editing the slider again

Affects Plugins

slider-wd
Fixed in version 1.2.52

References

CVE
CVE-2022-1320

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Fayçal CHENA

Submitter

Fayçal CHENA

Submitter website
https://fafachena.com/
Submitter twitter
faycal_chena
Verified

Yes

WPVDB ID
43581d6b-333a-48d9-a1ae-b9479da8ff87

Timeline

Publicly Published

2022-04-26 (about 3 months ago)

Added

2022-04-26 (about 3 months ago)

Last Updated

2022-04-27 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin