WordPress Slide Anything Plugin <= 2.4.9 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in simonpedge Slide Anything – Responsive Content / HTML Slider and Carousel plugin <= 2.4.9 versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Slide Anything plugin up to version 2.4.9 contains a stored XSS vulnerability that allows authenticated authors or higher to inject malicious scripts into WordPress sites.
Vulnerability
The Slide Anything – Responsive Content / HTML Slider and Carousel plugin for WordPress (slug: slide-anything) versions up to and including 2.4.9 is affected by an authenticated stored cross-site scripting (XSS) vulnerability [1][2]. The bug resides in the plugin's input handling for slider content, where an attacker with author-level privileges or higher can inject arbitrary JavaScript or HTML into slider data that is later served to site visitors. No special configuration beyond the default plugin setup is required; the vulnerable code path is reachable whenever a user with sufficient permissions edits or creates a slider [1].
Exploitation
To exploit the vulnerability, an attacker must have an account on the WordPress site with at least the Author role (or higher, such as Editor or Administrator). The attacker then creates or edits a slider via the plugin's admin interface, embedding malicious script payloads into the slider content fields. The stored payload is subsequently rendered on the front end when any visitor loads a page containing the infected slider. In some attack scenarios, user interaction from a privileged user (e.g., clicking a malicious link or visiting a crafted page) may also be required to trigger the injection, but the primary mechanism is the direct saving of malicious input [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of visitors viewing pages with the compromised slider. This can lead to session hijacking, redirection to malicious sites, theft of cookies or authentication tokens, defacement, or injection of advertisements and other unwanted HTML content. The attack compromises the confidentiality and integrity of data viewed by site visitors and may be leveraged for mass campaign attacks across thousands of sites [1].
Mitigation
No patched version of the plugin is available. The plugin was closed and removed from the official WordPress.org plugin directory on June 14, 2024, citing a security issue [2]. Users who have Slide Anything installed should immediately uninstall the plugin and replace it with an alternative slider solution. If immediate removal is not feasible, a web application firewall (WAF) rule or a custom mitigation rule from Patchstack can block exploitation attempts, but the plugin itself should be considered permanently unsafe [1][2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.4.9
- simonpedge/Slide Anything – Responsive Content / HTML Slider and Carouselv5Range: n/a
Patches
0slide-anythingThis plugin has been removed from the WordPress.org directory on 2024-06-14 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.