Ultimate Carousel For Elementor <= 2.1.7 – Contributor+ Stored XSS | CVE 2023-0280

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

The plugin author was made aware of this vulnerability on Jan 13, 2023.

Proof of Concept

Exploit extra class for Advanced Carousel element:
" onmouseover="alert(1)" style="background:red;"

Affects Plugins

ultimate-carousel-for-elementor

No known fix

References

CVE

CVE-2023-0280

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

LanaCodes

Verified

Yes

WPVDB ID

cb7ed9e6-0fa0-4ebb-9109-8f33defc8b32

Timeline

Publicly Published

2023-04-17 (about 2 years ago)

Added

2023-04-17 (about 2 years ago)

Last Updated

2023-04-17 (about 2 years ago)

Other

Published

Title

Published

2024-11-20

Title

Tailored Tools <= 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2015-05-15

Title

Anti-Malware & Brute-Force Security by ELI < 4.15.20 - Multiple Reflected XSS

Published

2024-11-29

Title

GTPayment Donations <= 1.0.0 - Stored XSS via CSRF

Published

2025-06-19

Title

Better Random Redirect <= 1.3.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-09-04

Title

wp tell a friend popup form <= 7.1 - Admin+ Stored XSS