CVE-2024-10179

The Slickstream: Engagement and Conversions plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.4.4. The flaw resides in the slick-grid shortcode, where user-supplied attributes are not properly sanitized or escaped before being stored and later rendered. This insufficient input validation allows malicious HTML and JavaScript to be persisted on the site.

Exploitation requires an authenticated attacker with at least Contributor-level access. The attacker can inject arbitrary web scripts into a page or post via the vulnerable shortcode. When any user—including administrators or visitors—accesses the compromised page, the injected script executes in their browser context. No additional privileges or network position are needed beyond the contributor role.

Successful exploitation leads to full client-side compromise: an attacker can steal session cookies, perform actions on behalf of the victim, deface the site, or redirect users to malicious domains. Because the XSS is stored, the payload remains active until the injected content is removed or the plugin is updated.

The vendor has addressed this vulnerability in a subsequent release; users should update the Slickstream plugin to version 1.4.5 or later. No workaround is available other than disabling the shortcode or restricting contributor-level access until the patch is applied [1].