The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Multi Post Carousel by Category WordPress plugin versions up to 1.4 contains a Stored XSS vulnerability in the 'slides' shortcode attribute due to insufficient input sanitization. Authenticated users with Contributor access or higher can inject malicious scripts that execute for all page visitors.
تحتوي إضافة Multi Post Carousel by Category لـ WordPress على ثغرة Stored XSS في معامل اختصار 'slides' بسبب عدم كفاية تنقية المدخلات والمخرجات. يمكن للمستخدمين المصرحين بمستوى المساهم أو أعلى حقن نصوص برمجية ضارة تُنفذ عند وصول أي مستخدم للصفحة المصابة.
The Multi Post Carousel by Category WordPress plugin versions up to 1.4 contains a Stored XSS vulnerability in the 'slides' shortcode attribute due to insufficient input sanitization. Authenticated users with Contributor access or higher can inject malicious scripts that execute for all page visitors.
Update the Multi Post Carousel by Category plugin to version 1.5 or later immediately. If immediate patching is not possible, restrict Contributor-level access to trusted users only and implement Web Application Firewall rules to detect and block XSS payloads in shortcode attributes.
قم بتحديث إضافة Multi Post Carousel by Category إلى الإصدار 1.5 أو أحدث فوراً. إذا لم يكن التحديث الفوري ممكناً، قيّد وصول مستوى المساهم للمستخدمين الموثوقين فقط وطبّق قواعد جدار الحماية لتطبيقات الويب للكشف عن حمولات XSS وحجبها.