Description
The Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lgx_tooltip_position' parameter in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
Any version
Timeline
| 2026-06-25: | Vendor Notified |
| 2026-07-09: | Disclosed |
Credits
Athiwat Tiprasaharn (Jitlada)
Itthidej Aramsri (Boeing777)
References
www.wordfence.com/...-1f3a-4d1c-b832-69423a35fad5?source=cve
plugins.trac.wordpress.org/...ials/template/view-default.php
plugins.trac.wordpress.org/...c/partials/view-controller.php
plugins.trac.wordpress.org/...class-logo-slider-wp-admin.php
plugins.trac.wordpress.org/...p&new=3601263%40logo-slider-wp