Slide Anything < 2.3.44 - Editor+ Stored Cross-Site Scripting

Vulnerability

The Slide Anything WordPress plugin versions prior to 2.3.44 fail to sanitize and escape sliders' description fields. This allows high-privilege users (editor and above) to inject arbitrary JavaScript or HTML into the description. The vulnerability is present in all versions before the patched release 2.3.44 [1].

Exploitation

An attacker must have an editor-level account (or higher) on the WordPress site. The attacker crafts a malicious payload containing JavaScript (e.g., ``) and places it into the slider description field. When the slider is displayed on any page, the stored script executes in the context of the victim's browser. The attack requires no additional user interaction beyond the victim visiting the affected page [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the browsers of any user visiting a page that displays the infected slider. This can be used to steal session cookies, deface the site, or redirect users to malicious sites. The vulnerability bypasses the unfiltered_html capability setting, so even sites that normally strip dangerous tags from editor-level users are affected [1].

Mitigation

The vulnerability is fixed in version 2.3.44 of the Slide Anything plugin. All sites running an older version should update immediately. No workaround is available. The plugin maintainer released the patch on an unspecified date before the public disclosure on 2022-04-18 [1].