Video Slider - Slider Carousel < 1.4.8 - Admin+ Stored Cross-Site Scripting
Description
The Video Slider WordPress plugin before 1.4.8 does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.4.8
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of video settings allows stored cross-site scripting."
Attack vector
An attacker who has high-privileged access (e.g., Administrator) can inject malicious JavaScript into one of the plugin's video settings fields. Because the plugin fails to sanitize or escape these settings, the injected script is stored and later executed in the browsers of other users who view the affected slider [ref_id=1]. This allows Stored Cross-Site Scripting (XSS) even when the WordPress "unfiltered_html" capability is disallowed [CWE-79] [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the video settings of the Video Slider – Slider Carousel plugin for WordPress [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.4.8 of the plugin [ref_id=1]. No patch diff is provided in the bundle. The fix presumably adds proper sanitization and/or escaping to the video settings fields that were previously output without validation, preventing stored script injection.
Preconditions
- authAttacker must have a high-privileged user role (e.g., Administrator) in the WordPress admin panel.
- configThe vulnerable plugin version must be prior to 1.4.8.
- networkThe attacker must be able to access the video settings page of the plugin.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/053a9815-cf0a-472e-844a-3dea407ce022mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.