WordPress sites that have this slider turned on, might be vulnerable to Cross-Site Scripting attacks. This was fixed in version 8.5.1. If you are using the Slider Hero WordPress plugin on a site with this slider turned on, we highly recommend updating to the latest version as soon as possible.
Additionally, when a user clicks the “Add Media” button in the Image Slider, the plugin does not sanitize the user’s input before passing it to the Add Media functionality of the Media Library, which could allow a remote attacker to inject arbitrary HTML or script into the affected website.
How to check if you are vulnerable?
To check if your site is vulnerable and needs this fix, you can use a WordPress plugin called WP Security Audit.
1) Install the plugin, then go to:
2) Under the Slider Settings tab, click on “Show Advanced Options”.
3) Scroll down to the “Slider Settings” section and choose “Add Media” from the dropdown menu.
4) If there is an input field in this section with name="media_id", your site is vulnerable and needs to be fixed.
Solution: Update to Version 8.5.1 ASAP
WordPress sites that have this slider turned on, might be vulnerable to Cross-Site Scripting attacks. This was fixed in version 8.5.1. If you are using the Slider Hero WordPress plugin on a site with this slider turned on, we highly recommend updating to the latest version as soon as possible.
Additionally, when a user clicks the “Add Media” button in the Image Slider, the plugin does not sanitize the user’s input before passing it to the Add Media functionality of the Media Library, which could allow a remote attacker to inject arbitrary HTML or script into the affected website.
Timeline
Published on: 09/26/2022 13:15:00 UTC
Last modified on: 09/27/2022 03:43:00 UTC