The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin’s settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. Timeline July 19th, 2021 - Details sent to vendor July 21st, 2021 - Vendor working on a patch August 11th, 2021 - Asked for update August 12th, 20121 - Ticket handler will follow up with dev September 21st, 2021 - No update, public disclosure
As a subscriber, create a Slider with the following payload in the Slider Title: "> Then view the Sliders list or Edit the slider to trigger the XSS https://www.youtube.com/watch?v=8oHr_PE2eZ8