WP Review Slider < 13.0 - Admin+ Stored XSS

Vulnerability

The WP Review Slider WordPress plugin before version 13.0 fails to sanitise and escape some of its settings. This allows high privilege users, such as administrators, to inject arbitrary web scripts into the plugin's settings. The vulnerability is exploitable even when the unfiltered_html capability is disallowed, which is typical in multisite setups [1].

Exploitation

An attacker must have admin-level access to the WordPress site. They can then inject malicious JavaScript or HTML into the unsanitised settings fields of the WP Review Slider plugin. No special network position or additional user interaction is required beyond the admin saving the settings. The stored script will then execute whenever the affected settings page or plugin output is loaded by other users, including other administrators [1].

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS). The attacker can execute arbitrary JavaScript in the context of other admin users' browsers. This may result in session hijacking, defacement, or theft of sensitive information. The scope of compromise is limited to the WordPress admin area and pages where the plugin output is rendered [1].

Mitigation

Update the WP Review Slider plugin to version 13.0 or later, which was released on 2023-12-26 [1]. For multisite installations where updates may be controlled by a super admin, ensure the lock is lifted. No other workarounds are documented. This CVE is not listed on the KEV catalog [1].