PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
Description
Reflected XSS in PickPlugins Product Slider for WooCommerce plugin before 1.13.22 via unsanitized keyword GET parameter in slider import search.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in PickPlugins Product Slider for WooCommerce plugin before 1.13.22 via unsanitized keyword GET parameter in slider import search.
Vulnerability
The PickPlugins Product Slider for WooCommerce plugin for WordPress versions before 1.13.22 contains a reflected Cross-Site Scripting (XSS) vulnerability in the slider import search feature. The keyword GET parameter is not properly sanitized before being reflected in the response, allowing an attacker to inject arbitrary JavaScript code [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a keyword parameter with JavaScript payload. The attacker must trick a logged-in administrator (or any user with access to the plugin settings page) into clicking the crafted link. No authentication is required for the attacker, but the victim must be authenticated to the WordPress admin area. The injected script executes in the context of the victim's browser session [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the WordPress admin context. This can lead to session hijacking, theft of sensitive information, defacement of the admin interface, or further compromise of the WordPress site [1].
Mitigation
The vulnerability is fixed in version 1.13.22 of the plugin. Users should update to this version immediately. No workarounds are provided in the available references [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.13.22
- Range: 1.13.22
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the `keyword` GET parameter in the slider import search feature allows reflected Cross-Site Scripting."
Attack vector
An attacker can craft a URL containing a malicious payload in the `keyword` GET parameter and trick a victim (e.g., an administrator) into visiting that URL. Because the plugin fails to sanitize this parameter before reflecting it in the page output, the injected JavaScript executes in the victim's browser session [CWE-79] [ref_id=1]. No authentication is required to trigger the reflection, though the victim must be logged into the WordPress admin area for the vulnerable settings page to be accessible.
Affected code
The slider import search feature in the PickPlugins Product Slider for WooCommerce plugin settings did not properly sanitize the `keyword` GET parameter [ref_id=1]. The advisory does not specify the exact file or function name.
What the fix does
The advisory states the issue is fixed in version 1.13.22 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly sanitizing or escaping the `keyword` GET parameter before outputting it in the slider import search page, preventing the reflection of arbitrary HTML or JavaScript.
Preconditions
- authThe victim must be logged into WordPress and visit the plugin's settings page while the crafted URL is loaded.
- networkThe attacker must be able to deliver a crafted URL to the victim (e.g., via phishing link).
- configThe vulnerable plugin version must be prior to 1.13.22.
- inputThe attacker supplies a malicious payload in the `keyword` GET parameter.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.