WordPress Plugin Vulnerabilities
Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.
Timeline
July 19th, 2021 - Details sent to vendor
July 21st, 2021 - Vendor working on a patch
August 11th, 2021 - Asked for update
August 12th, 20121 - Ticket handler will follow up with dev
September 21st, 2021 - No update, public disclosure
Proof of Concept
As a subscriber, create a Slider with the following payload in the Slider Title: "><script>alert(/XSS/)</script> Then view the Sliders list or Edit the slider to trigger the XSS https://www.youtube.com/watch?v=8oHr_PE2eZ8