WordPress Plugin Vulnerabilities

Easy Slider Revolution < 1.1.0 - Author+ Stored XSS

Description

The plugin does not validate and escape some parameters in its the esrcpt_slider_allow_iframes_filter function, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
easy-slider-revolution
Fixed in 1.1.0

References

CVE
CVE-2023-28622
URL
https://patchstack.com/database/vulnerability/easy-slider-revolution/wordpress-easy-slider-revolution-plugin-1-0-0-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Yuki Haruma
Verified
No
WPVDB ID
d4075632-b8bb-4f4a-b9c2-e72c43fbe0af

Timeline

Publicly Published
2023-04-21 (about 3 years ago)
Added
2023-08-18 (about 2 years ago)
Last Updated
2024-04-08 (about 2 years ago)

Other

Published
Title
Published
2024-10-24
Title
Simple News <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode
Published
2014-08-01
Title
Count Per Day 3.1.1 - userperspan.php Multiple Parameter XSS
Published
2024-05-01
Title
WP Video Lightbox < 1.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Published
2025-09-05
Title
Course Booking Platform <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
WP Clone by WP Academy <= 2.1.1 - XSS in ZeroClipboard