Vulnerability warning by iThemes Security (and possible by other security scanners)

Problem

iThemes Security and some other security scanners has started to write out these kind of warnings:

Vulnerabilities

Smart Slider 3 < 3.5.0.9 - Authenticated Stored Cross-Site Scripting (XSS)

Cause

You can add access to Smart Slider to non-admin users as well. For example, you can allow your editor role users to create or modify your sliders and slides.

In the Smart Slider admin area you are able to enter JavaScript codes. By giving access to users to edit your sliders, you also give them the opportunity to add their own JavaScript codes to your website as well. For security reasons being able to add such codes to your site shouldn't be allowed for non-administrator users. That is why this vulnerability is reported to you.

In Smart Slider you can add JavaScript codes to a bunch of fields, such as the JavaScript callbacks or HTML layer. To make your site more secure, starting from 3.5.0.10 Smart Slider is only available to those user roles, which have the unfiltered_html capability. This capability allows editing any kind of code, including HTMl and JavaScript on the WordPress websites.

Ultimately, before giving access to Smart Slider to any user on your site, you should be aware of the options Smart Slider offers, to know what kind of access you just gave them.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.