Social Slider Feed < 2.0.5 – Subscriber+ Arbitrary Feed Deletion | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF check in place when deleting feeds, allowing ay authenticated users, such as subscriber to delete arbitrary feeds

Proof of Concept

As any authenticated user, such as subscriber. Or via CSRF against them

https://example.com/wp-admin/admin.php?page=feeds-wisw&social=instagram&feed=2&action=delete

Despite the "Sorry, you are not allowed to access this page." error, the feed will be deleted

Affects Plugins

instagram-slider-widget

Fixed in 2.0.5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

c747cc3b-f726-4aed-ba46-f844ab008971

Timeline

Publicly Published

2022-08-01 (about 3 years ago)

Added

2022-08-01 (about 3 years ago)

Last Updated

2022-08-01 (about 3 years ago)

Other

Published

Title

Published

2025-08-15

Title

Anber Elementor Addon <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Banner button link

Published

2014-08-01

Title

snazzy-archives <= 1.7.1 - swf/tagcloud.swf tagcloud Parameter XSS

Published

2025-10-23

Title

Bold Page Builder < 5.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter

Published

2024-05-17

Title

Logo Slider < 4.0.0 - Contributor+ Stored XSS

Published

2024-11-18

Title

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar < 5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via sonaar_audioplayer Shortcode