Slider by Soliloquy Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Slider by Soliloquy WordPress plugin, specifically in version 2.6.2. This vulnerability allows authenticated attackers to inject malicious scripts through the title parameter. When attackers add JavaScript payloads in the title field while creating or editing sliders, these scripts execute in the browsers of users viewing the slider, affecting both administrative and frontend pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the slider.

Reproduction

To reproduce this vulnerability, install and activate the Slider by Soliloquy plugin version 2.6.2. After activation, navigate to the Soliloquy plugin interface and use the 'Add New' button to create a new slider. In the title field, inject a script payload, such as a JavaScript alert script. After adding an image to the slider, publish the post. The injected script will execute when the slider is viewed, triggering the cross-site scripting vulnerability.