CVE-2023-5362 in Carousel, Recent Post Slider and Banner Slider Plugininfo

Summary

by MITRE • 10/30/2023

The Carousel, Recent Post Slider and Banner Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'spice_post_slider' shortcode in versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The Carousel Recent Post Slider and Banner Slider plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2023-5362 affecting versions up to and including 2.0. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's spic_post_slider shortcode implementation. The flaw allows authenticated attackers who possess contributor-level permissions or higher to inject malicious web scripts that execute whenever users access pages containing the injected content. The vulnerability operates as a stored XSS attack because the malicious scripts are permanently stored within the plugin's data handling mechanisms rather than being executed through a single request. This type of vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws in software applications. The attack vector leverages the plugin's shortcode functionality where user-supplied attributes are not properly sanitized before being rendered in the web page output, creating an opening for persistent malicious code injection.

The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities through the compromised WordPress installation. Authenticated users with contributor privileges can leverage this vulnerability to inject scripts that could steal session cookies, redirect users to malicious sites, deface content, or even escalate privileges within the WordPress environment. The vulnerability's persistence means that once injected, the malicious scripts will execute for any user who accesses pages containing the compromised shortcode, potentially affecting a wide range of users including administrators. This makes the vulnerability particularly dangerous in multi-user environments where contributors and editors frequently publish content that may contain the vulnerable shortcode. The stored nature of the XSS attack allows for long-term persistence and broader impact compared to reflected XSS vulnerabilities which require specific user interaction with malicious links.

Security practitioners should recognize this vulnerability as part of the broader ATT&CK framework's TA0001 Initial Access and TA0002 Execution tactics. The vulnerability enables attackers to establish a foothold through the compromised plugin and then execute malicious code within the context of the victim's browser session. The attack chain typically begins with an authenticated user exploiting the contributor-level permissions to inject malicious code through the plugin's shortcode functionality. The vulnerability's classification as a stored XSS aligns with ATT&CK technique T1566.001 which covers the use of malicious content in web applications. Organizations should prioritize immediate remediation by updating to patched versions of the plugin, as the vulnerability affects all versions up to 2.0 and represents a significant risk to WordPress installations. The attack surface is particularly concerning for WordPress sites with multiple contributors or editorial teams where the vulnerable shortcode might be frequently used in content creation workflows.

Mitigation strategies should include immediate patching of the vulnerable plugin to version 2.1 or later where the sanitization and escaping issues have been addressed. Security teams should implement additional monitoring for unauthorized shortcode usage and content modifications within the WordPress admin interface. Network-level protections such as web application firewalls can provide additional layers of defense by detecting and blocking suspicious script injection patterns. Regular security audits of WordPress plugins should include verification of input sanitization practices and output escaping mechanisms. The vulnerability also highlights the importance of principle of least privilege in WordPress environments, where contributor accounts should have minimal permissions that do not include the ability to inject content that could be exploited for XSS attacks. Organizations should consider implementing Content Security Policy headers as an additional defensive measure to limit script execution capabilities within the WordPress environment. The vulnerability serves as a reminder of the critical importance of validating and sanitizing all user inputs in web applications, particularly in content management systems where multiple user roles interact with shared content creation tools.

Responsible

Wordfence

Reservation

10/03/2023

Disclosure

10/30/2023

Moderation

accepted

CPE

ready

EPSS

0.00519

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!