The plugin does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks.
Create or edit a Slide and put the following payload in the Name field: " onfocus=alert(/XSS/) autofocus=" The XSS will be triggered when editing the slide again
CPE | Name | Operator | Version |
---|---|---|---|
slider-hero | lt | 8.4.4 |