WordPress Plugin Vulnerabilities

Master Slider - Responsive Touch Slider < 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_slide' shortcode in all versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied 'css_class' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
master-slider
Fixed in 3.9.10

References

CVE
CVE-2023-6382
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d2fc926-6f9f-4ed9-9598-e39b5e6c6544

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
4ebb70dd-6759-4dad-96a8-e62d11a05538

Timeline

Publicly Published
2024-05-31 (about 1 year ago)
Added
2024-05-31 (about 1 year ago)
Last Updated
2024-07-29 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
Buddypress <= 1.9.1 - Stored Cross-Site Scripting (XSS)
Published
2023-08-30
Title
Reservation.Studio widget < 1.0.12 - Admin+ Stored XSS
Published
2024-11-22
Title
DeBounce Email Validator < 5.6.6 - Reflected Cross-Site Scripting
Published
2021-09-06
Title
CM Tooltip Glossary < 3.9.21 - Contributor+ Stored Cross-Site Scripting
Published
2026-01-11
Title
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce < 2.14.3 - Authenticated (Author+) Stored Cross-Site Scripting