WordPress Plugin Vulnerabilities

Slideshow SE < 2.5.6 - Subscriber+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
slideshow-se
Fixed in 2.5.6

References

CVE
CVE-2022-43461

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
574186f4-cc06-46c1-bf80-b44a277d327c

Timeline

Publicly Published
2022-10-28 (about 3 years ago)
Added
2023-03-17 (about 3 years ago)
Last Updated
2023-03-17 (about 3 years ago)

Other

Published
Title
Published
2025-01-17
Title
Podlove Podcast Publisher < 4.2.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Feed Name
Published
2025-07-30
Title
Masteriyo - LMS < 1.18.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-04
Title
wSecure Lite <= 2.5 - Admin+ Stored XSS
Published
2024-01-03
Title
ARForms < 1.5.9 - Unauthenticated Stored XSS
Published
2023-02-14
Title
Opt-Out for Google Analytics < 2.3.5 - Admin+ Stored XSS