WordPress Plugin Vulnerabilities

PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)

Description

The slider import search feature of the plugin settings did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-products-slider
Fixed in 1.13.22

References

CVE
CVE-2021-24300

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837

Timeline

Publicly Published
2021-05-06 (about 4 years ago)
Added
2021-05-06 (about 4 years ago)
Last Updated
2021-05-07 (about 4 years ago)

Other

Published
Title
Published
2025-09-30
Title
SiteGround Email Marketing < 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-07
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.9.2 - Authenticated (Custom) Stored Cross-Site Scripting
Published
2018-11-20
Title
Accelerated Mobile Pages < 0.9.97.21 - Stored XSS
Published
2022-02-01
Title
Product Feed PRO for WooCommerce < 11.2.3 - Reflected Cross-Site Scripting
Published
2023-10-26
Title
Animated Counters < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode