WP Image Carousel <= 1.0.2 – Contributor+ Stored XSS | CVE 2023-0589 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

Proof of Concept

1. Go to the plugin settings and insert all the settings, then save.
2. Insert the following shortcode in a post/page: [wpic speed='""}); alert(1); jQuery({"temp":true']

Affects Plugins

wp-image-carousel

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

58649228-69a6-4028-8487-166b0a07fcf7

Timeline

Publicly Published

2023-03-03 (about 2 years ago)

Added

2023-03-03 (about 2 years ago)

Last Updated

2023-03-03 (about 2 years ago)

Other

Published

Title

Published

2025-10-26

Title

SimpLy Gallery <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-17

Title

JetBlog <= 2.4.4 - Reflected Cross-Site Scripting

Published

2024-08-01

Title

WooCommerce PDF Vouchers < 4.9.5 - Reflected Cross-Site Scripting

Published

2022-07-18

Title

WP DS Blog Map <= 3.1.3 - Admin+ Stored Cross-Site Scripting

Published

2014-08-01

Title

Repagent - dewplayer-vinyl-en.swf xml Parameter XML File H&ling XSS