Slider, Gallery, and Carousel by MetaSlider < 3.27.9 - Admin+ Stored Cross Site Scripting

Vulnerability

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin prior to version 3.27.9 fails to sanitize and escape certain Gallery Image parameters [1]. This allows privileged users with admin access to inject arbitrary web scripts, which are stored on the server and later executed in the context of other users' browsers. The vulnerability is present even when the unfiltered_html capability is disabled, such as in WordPress multisite configurations [1].

Exploitation

An attacker must have an administrator-level account in the WordPress installation [1]. The attacker can then create or edit a gallery contained in the MetaSlider plugin and insert malicious JavaScript into the unsanitized Gallery Image parameters. When the modified gallery is displayed to other users (including lower-privilege admins or visitors), the script is executed in their browsers [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS). The attacker can perform actions such as session hijacking, defacement, or redirection to malicious sites, all within the context of the victim's session on the affected WordPress site. Because the script is stored, it affects any user who views the compromised gallery [1].

Mitigation

The vulnerability is fixed in MetaSlider version 3.27.9, released on or before September 14, 2022 [1]. Users should immediately update the plugin to version 3.27.9 or later. No workaround has been disclosed in the available references. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.