Lucene search

K
wpvulndbLana CodesWPVDB-ID:58649228-69A6-4028-8487-166B0A07FCF7
HistoryMar 03, 2023 - 12:00 a.m.

WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS

2023-03-0300:00:00
Lana Codes
wpscan.com
6
wordpress
image carousel
contributor
stored xss
cross-site scripting

0.001 Low

EPSS

Percentile

23.4%

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

PoC

1. Go to the plugin settings and insert all the settings, then save. 2. Insert the following shortcode in a post/page: [wpic speed=‘“”}); alert(1); jQuery({“temp”:true’]

CPENameOperatorVersion
wp-image-carouseleq*

0.001 Low

EPSS

Percentile

23.4%

Related for WPVDB-ID:58649228-69A6-4028-8487-166B0A07FCF7