Product Slider for WooCommerce < 2.6.4 - Contributor+ Stored XSS in Shortcode
Description
The Product Slider for WooCommerce plugin versions below 2.6.4 contain a stored XSS vulnerability through unescaped shortcode attributes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Product Slider for WooCommerce plugin versions below 2.6.4 contain a stored XSS vulnerability through unescaped shortcode attributes.
Vulnerability
The Product Slider for WooCommerce WordPress plugin before version 2.6.4 fails to validate and escape some of its shortcode attributes before outputting them back in the page. This allows stored cross-site scripting. The vulnerability is present in all versions prior to the fix.
Exploitation
An attacker with a role as low as Contributor can inject arbitrary JavaScript into shortcode attributes. When the shortcode is rendered on a page viewed by higher-privilege users (such as admins), the malicious script executes. The stored XSS is triggered in the context of the victim's session.
Impact
Successful exploitation can lead to disclosure of sensitive information, session hijacking, or actions performed on behalf of the admin user. This can compromise the entire WordPress site, including the ability to create new admin accounts or inject backdoors.
Mitigation
The vulnerability is fixed in version 2.6.4 of the plugin. Administrators should update to this version or later immediately. No workarounds are documented. The plugin vendor has released the patch on December 28, 2022 [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 2.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/cf0a51f9-21d3-4ae8-b7d2-361921038fe8mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.