Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title
Description
The Slide Anything WordPress plugin before 2.3.47 does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Slide Anything plugin before 2.3.47 allows authors to inject JavaScript via slide titles in admin pages.
Vulnerability
The Slide Anything WordPress plugin before version 2.3.47 does not properly sanitize or escape the slide title before outputting it in admin pages. This allows a logged-in user with roles as low as Author to inject arbitrary JavaScript payloads into the slide title, even when the unfiltered_html capability is disabled [1].
Exploitation
An attacker must have an Author-level account or higher on the WordPress site. The attacker creates or edits a slide and inserts a malicious JavaScript payload into the slide title. When the slide title is displayed in the admin pages, the payload executes in the context of the administrator's session [1].
Impact
Successful exploitation leads to stored cross-site scripting (XSS) in the WordPress admin area. This can result in session hijacking, defacement, or further privilege escalation attacks against site administrators [1].
Mitigation
The issue is fixed in version 2.3.47 of the Slide Anything plugin. Users should update to this version immediately. If updating is not possible, consider restricting Author-level permissions or disabling the plugin [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Slide Anythingdescription
- Range: <2.3.47
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/2e38b1bb-4410-45e3-87ca-d47a2cce9e22/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.