LayerSlider 7.11.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ls_search_form Shortcode | CVE 2024-4575 | Plugin Vulnerabilities

Description

The LayerSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ls_search_form shortcode in version 7.11.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 7.11.1

Fixed in 7.11.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa4167a-686f-4fd0-a53d-eb61d57228a1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

haidv35

Verified

No

WPVDB ID

6c7c53d5-71ed-48e0-bc04-0eca1088dbb1

Timeline

Publicly Published

2024-05-22 (about 1 year ago)

Added

2024-05-22 (about 1 year ago)

Last Updated

2024-05-23 (about 1 year ago)

Other

Published

Title

Published

2026-02-04

Title

Dynamic Widget Content < 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field

Published

2025-01-13

Title

CoDesigner WooCommerce Builder for Elementor <= 4.28.2 - Author+ Stored XSS

Published

2014-08-01

Title

PHPFreeChat 0.2.8 - lib/csstidy-1.2/css_optimiser.php url Parameter XSS

Published

2025-08-29

Title

MultiSite Clone Duplicator <= 1.5.3 - Reflected Cross-Site Scripting

Published

2025-03-21

Title

CryoKey <= 2.4 - Reflected Cross-Site Scripting via 'ckemail' Parameter