Social Slider Feed < 2.2.9 - Admin+ Stored XSS via Widgets

Vulnerability

The Social Slider Feed WordPress plugin versions before 2.2.9 fail to sanitize and escape some of its settings. This allows administrators to inject arbitrary web scripts into widget settings, which are stored and later executed in the context of other users' sessions. The vulnerability is present in all plugin versions prior to 2.2.9 [1].

Exploitation

An attacker must have administrator-level access to the WordPress site, including in multisite configurations where the "unfiltered_html" capability is normally disallowed. The attacker can inject malicious JavaScript into unsanitized plugin settings fields, such as those used in widgets. The injected script is then stored and executed whenever the affected widget is rendered for any user (including lower-privileged users or visitors) [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the browser of any user viewing the affected widget. This can lead to session hijacking, redirection to malicious sites, or other client-side attacks. The attacker does not need the "unfiltered_html" capability, making the vulnerability especially dangerous in multisite environments [1].

Mitigation

The vulnerability is fixed in version 2.2.9 of the Social Slider Feed plugin. Administrators should update to this version immediately. No workarounds are documented in the available references [1].