WordPress Plugin Vulnerabilities

Carousel, Recent Post Slider and Banner Slider < 2.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not correctly sanitize and escape user-supplied attributes in the 'spice_post_slider' shortcode. This oversight could lead to the injection of arbitrary web scripts into pages that will execute whenever accessed by a user.

Affects Plugins

Plugin icon
spice-post-slider
Fixed in 2.1

References

CVE
CVE-2023-5362
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0dd70b9-6f8a-41fc-ab4f-f6cdfee8dfb8

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
8ad662a8-e205-4160-ae2d-d1c115a6ed3a

Timeline

Publicly Published
2023-10-20 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2023-05-22
Title
MailChimp Subscribe Forms < 4.0.9.2 - Admin+ Stored XSS
Published
2025-01-24
Title
Show/Hide Shortcode < 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-05
Title
WP Social Widget < 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-08
Title
Simple Download Counter < 1.6.1 - Contributor+ Stored XSS
Published
2024-10-24
Title
Futurio Extra < 2.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting