WP Touch Slider <= 2.2 - Reflected XSS

Vulnerability

The OWL Carousel Slider WordPress plugin, version 2.2 and earlier, contains a reflected cross-site scripting (XSS) vulnerability. The plugin fails to sanitize and escape a parameter before including it in the page output, enabling injection of arbitrary JavaScript. No authentication is required to trigger the vulnerable code path, though the attacker must convince a victim to visit a crafted URL. [1]

Exploitation

An attacker can craft a malicious URL containing the XSS payload in the unsanitized parameter and deliver it to a logged-in user, particularly a high-privilege user such as an administrator. The victim only needs to click or visit the link; no additional user interaction is required after that. The proof-of-concept demonstrates reflective injection into the page response. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session theft, forced administrative actions, or defacement of the site. As the vulnerability targets high-privilege users, the scope extends to full site compromise under the attacker's control during the session. [1]

Mitigation

No fix has been released as of the publication date (2025-02-17). The plugin is marked as having "No known fix" in the advisory. Users should consider deactivating or uninstalling the plugin until a patched version is made available, as there are no simple workarounds short of removing the plugin. [1]