On Monday, the WordPress plugin Slideshow was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 50,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains an authenticated persistent cross-site scripting (XSS) vulnerability.

When creating or editing one of the plugin’s slideshows, there are text inputs in the Slideshows Settings for which there isn’t proper sanitization, validation, and or escaping. Malicious JavaScript can be saved in to at least some of those and then it will be output, which is authenticated persistent XSS vulnerability.  If that were limited to users with the unfiltered_html capability, that wouldn’t be a vulnerability (but would still be a security issue), but by default the plugin allows users with the Author role access to that and they don’t have that capability. [Read more]