CVE-2021-24196 Social Slider Widget < 1.8.5 - Reflected XSS

Plugin Information


In the plugin settings page, the user input ‘token_error’ parameter is directly echoed without being sanitized. This allows an attacker to deliver malicious content to the vulnerable page via a reflected XSS attack.

Here’s the POC:


When the server responds, the injected payloads are executed by the victim’s browser.



The vulnerability requires user interaction e.g. clicking a crafted link and only affects the WordPress administrators who are accessible to the plugin settings page (/wp-admin/admin.php?page=settings-wisw). The vendor has fixed the flaw with sanitization in 1.8.5.


2021-01-12 Report to WordPress Plugin Review team

2021-01-13 Review team confirmed the issue and reported to vendor

2021-01-14 Vendor released 1.8.5 to fix the flaw

2021-01-21 Contacted the developer via email for publishing the issues. No further response

2021-03-14 Public disclosure

2021-03-17 Reported to wpscan and reserved CVE-2021-24196