WordPress Plugin Vulnerabilities

B Slider < 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The B Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
b-slider
Fixed in 2.0.7

References

CVE
CVE-2026-24383
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/683edf03-b3ea-4de9-91d8-c4a556739f7f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
fdce98ff-aa36-45da-b283-497b62434d4c

Timeline

Publicly Published
2026-01-29 (about 3 months ago)
Added
2026-02-02 (about 3 months ago)
Last Updated
2026-02-02 (about 3 months ago)

Other

Published
Title
Published
2024-01-31
Title
Beds24 Online Booking < 2.0.24 - Authenticated(Administrator+) Stored Cross-Site Scripting
Published
2024-04-03
Title
WordPress Tag and Category Manager – AI Autotagger < 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-01-27
Title
Membee Login < 2.3.7 - Unauthenticated Stored Cross-Site Scripting
Published
2025-03-27
Title
Cozy Blocks < 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-06
Title
Ditty < 3.1.36 - Author+ Stored XSS