Product Slider For WooCommerce Lite <= 1.1.7 - Contributor+ Stored XSS

Vulnerability

The Product Slider For WooCommerce Lite plugin for WordPress versions through 1.1.7 fails to validate and escape some of its shortcode attributes before outputting them in a page or post where the shortcode is embedded. This allows unauthenticated (for shortcode injection) or authenticated users with at least the Contributor role to inject arbitrary JavaScript or HTML into the site database.

Exploitation

An attacker with a Contributor role (or higher) can craft a post or page containing the vulnerable shortcode with a malicious attribute value. The attacker does not need any special network position beyond standard web access to the WordPress admin panel. No user interaction beyond the visitor loading the affected page is required for the stored script to execute.

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS). When an administrator or other user views the compromised page, the injected script runs in their browser session. This can result in session hijacking, credential theft, defacement, or forced administrative actions, effectively enabling privilege escalation from contributor to administrator-level access.

Mitigation

No official fix was available as of the last update referenced [1]. Users should disable the plugin or remove it entirely until a patched version is released. The plugin may be listed on the CISA Known Exploited Vulnerabilities (KEV) catalog if active exploitation is reported; however, no KEV listing was noted in the available references.