The plugin does not sanitize and escape the Text to Display settings of sliders, which could allow high privileged users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Create/edit a Slider, select the “text or HTML” for the " What would you like to display?" setting (at the bottom of the page), and put the following payload in the “Text to display” field while in Text mode: The XSS will be triggered in the post/page where the slider is embed/displayed
CPE | Name | Operator | Version |
---|---|---|---|
wp-contact-slider | lt | 2.4.7 |