Meta slider and carousel with lightbox < 2.0.2 – Authenticated (Author+) Stored Cross-Site Scripting | CVE 2024-47307 | Plugin Vulnerabilities

Description

The Meta slider and carousel with lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

meta-slider-and-carousel-with-lightbox

Fixed in 2.0.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/330e90a1-735c-48db-bf0f-95b7dacd1476

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Robert DeVore

Verified

No

WPVDB ID

773069bd-0ec4-4a7b-8a00-66ccb4c0b584

Timeline

Publicly Published

2024-09-25 (about 1 year ago)

Added

2024-10-02 (about 1 year ago)

Last Updated

2024-10-02 (about 1 year ago)

Other

Published

Title

Published

2019-02-20

Title

WooCommerce <= 3.5.4 - Stored Cross-Site Scripting (XSS)

Published

2025-12-20

Title

Five Star Restaurant Reservations – WordPress Booking Plugin < 2.7.7 - Unauthenticated Stored Cross-Site Scripting

Published

2025-02-24

Title

Pathomation <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-01-01

Title

Owl Carousel WP <= 2.2.2 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Custom Website Data 1.0 - wp-admin/admin.php ref Parameter XSS