Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) < 3.16.6 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-12043 | Plugin Vulnerabilities

Description

The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'social_link_title' parameter of the 'blog' widget in all versions up to, and including, 3.16.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

bdthemes-prime-slider-lite

Fixed in 3.16.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/23e1fffa-9170-4bc2-ad7e-27708a08033b

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

zer0gh0st

Verified

No

WPVDB ID

b199d95f-3242-4fde-8329-36529dcb1899

Timeline

Publicly Published

2025-01-22 (about 1 year ago)

Added

2025-01-22 (about 1 year ago)

Last Updated

2025-01-23 (about 1 year ago)

Other

Published

Title

Published

2022-05-17

Title

WP Athletics <= 1.1.7 - Subscriber+ Stored Cross-Site Scripting

Published

2022-03-14

Title

Members List < 4.3.7 - Reflected Cross-Site Scripting

Published

2025-01-14

Title

HireHive Job Plugin <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-12

Title

ListingPro < 2.9.10 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

JS External Link Info 1.21 - redirect.php blog Parameter XSS