Wp Tripadvisor Review Slider
Monthly
SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP TripAdvisor Review Slider WordPress plugin through version 14.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects all versions up to and including 14.1, and an attacker with sufficient privileges to inject content can compromise user sessions, steal credentials, or perform arbitrary actions on behalf of site administrators. No CVSS score or EPSS data is currently available, and active exploitation status via KEV is unknown, but Patchstack has documented this as a confirmed vulnerability with a reference implementation.
The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP TripAdvisor Review Slider WordPress plugin through version 14.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects all versions up to and including 14.1, and an attacker with sufficient privileges to inject content can compromise user sessions, steal credentials, or perform arbitrary actions on behalf of site administrators. No CVSS score or EPSS data is currently available, and active exploitation status via KEV is unknown, but Patchstack has documented this as a confirmed vulnerability with a reference implementation.
The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.