Vulnerability warning by iThemes Security (and possible by other security scanners)


iThemes Security and some other security scanners has started to write out these kind of warnings:


Smart Slider 3 < - Authenticated Stored Cross-Site Scripting (XSS)


This warning means, that you can add access to Smart Slider to non-admin users too, like if you want some users with editor role to be able to modify your sliders and slides. In the Smart Slider admin area you are able to enter JavaScript codes, so by adding access to users to edit your sliders, you are giving them the opportunity to add JavaScript codes to your website as well. Some people think this kind of coding possibility shouldn't be allowed for these user roles and that is why they started to mark one of our field as vulnerability, because you are able to write JavaScript codes there, while they haven't even noticed, that they don't need to "hack" their code into the system, as it is possible by default to add JavaScript in other fields, like the JavaScript callbacks or HTML layer. So we don't think this is actually a vulnerability, because if you give access to Smart Slider admin area for someone, you should be aware of the options Smart Slider offers, to know what kind of access you just gave. But if you think this shouldn't happen, then just don't give access to non-administrators to your Smart Slider, as written in our documentation.

From Smart Slider, to have a final solution, we will limit down, that only users with unfiltered_html capability will have access to our admin area. This is the capability that means, you should be able to edit the html codes (including JavaScript) of the website as well.
So no matter  what role you select, to give access to Smart Slider, the given role won't have access without unfiltered_html capability.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.