Accordion Slider < 1.9.12 – Authenticted (Contributor+) Stored Cross-Site Scripting via HTML Attribute | CVE 2024-9582 | Plugin Vulnerabilities

Description

The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Successful exploitation by Contributor-level users requires an Administrator-level user to provide access to the plugin's admin area via the `Access` plugin setting, which is restricted to administrators by default.

Affects Plugins

accordion-slider

Fixed in 1.9.12

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/94f19f56-0667-443e-8545-a17fbe9c3ddb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Adel (ItsFadinG)

Verified

No

WPVDB ID

5604cc91-7b1e-42a6-9194-99b1f13c1791

Timeline

Publicly Published

2024-10-15 (about 1 year ago)

Added

2024-10-15 (about 1 year ago)

Last Updated

2024-10-16 (about 1 year ago)

Other

Published

Title

Published

2026-04-23

Title

Bricks < 2.3 - Reflected Cross-Site Scripting

Published

2025-12-01

Title

WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) < 4.0.0 - Unauthenticated Stored Cross-Site Scripting via External Content Import

Published

2020-07-12

Title

Form Maker by 10Web < 1.13.40 - Authenticated Reflected XSS

Published

2026-06-08

Title

RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2025-10-14

Title

Digiseller < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting