Slide Anything < 2.3.44 – Editor+ Stored Cross-Site Scripting | CVE 2022-1303 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Create/edit a Slider with the plugin and put the following payload in a Slide Description while in text mode: <script>alert(/XSS/);</script>

The XSS will be triggered when editing the slide again, as well in any page/post where the slider is embed

Affects Plugins

Fixed in 2.3.44

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Fayçal CHENA

Submitter

Fayçal CHENA

Submitter website

https://fafachena.com/

Submitter twitter

Verified

Yes

WPVDB ID

590b446d-f8bc-49b0-93e7-2a6f2e6f62f1

Timeline

Publicly Published

2022-04-18 (about 3 years ago)

Added

2022-04-18 (about 3 years ago)

Last Updated

2022-04-19 (about 3 years ago)

Other

Published

Title

Published

2011-10-24

Title

Cover WP < 1.6.6 - XSS

Published

2025-07-30

Title

WPFunnels < 3.5.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-24

Title

Time Slot < 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-10

Title

Silvasoft boekhouden <= 3.0.5 - Reflected Cross-Site Scripting

Published

2025-04-09

Title

WP Table Builder < 2.0.6 - Reflected Cross-Site Scripting