WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS

An attacker with a Contributor-level role (or higher) can inject arbitrary JavaScript into plugin parameters that are not sanitized or escaped [ref_id=1]. When the WordPress page or post containing the WP Image Carousel shortcode is viewed by another user, the injected script executes in their browser. The attack requires only the ability to create or edit posts, which is available to Contributors in a standard WordPress installation [ref_id=1]. The payload is stored in the database and triggers on every subsequent page load, making this a stored XSS attack [CWE-79].

The advisory does not specify exact file paths or function names [ref_id=1]. The vulnerability exists in the shortcode-handling logic of the WP Image Carousel plugin (versions through 1.0.2), where parameters accepted by the shortcode are neither sanitized on input nor escaped on output [ref_id=1].

No patch or fix has been published by the plugin vendor [ref_id=1]. The advisory recommends that site administrators apply proper input sanitization and output escaping to all plugin parameters, particularly those processed by shortcode handlers [ref_id=1]. Until a patched version is released, the only remediation is to disable or remove the plugin, or to restrict the Contributor role from using the plugin's shortcode via a capability check.

1. Log in to WordPress as a Contributor-level user. 2. Create a new post and insert the WP Image Carousel shortcode with a malicious parameter value, for example: `[image-carousel param="<script>alert('XSS')</script>"]`. 3. Publish or save the post. 4. When any user (including an Administrator) views the post, the injected JavaScript executes in their browser [ref_id=1].