Security vulnerability

I am also seeing this error on my site: “WordPress Master Slider Plugin <= 3.11.0 – Cross Site Scripting (XSS) Vulnerability,” as well as, “WordPress Master Slider plugin <= 3.11.0 – Broken Access Control vulnerability”. Is there a fix in the works? Thank you!

I see the same error and tried filling out the chat contact form on their site to see if they will take action on fixing this.

Still not fixed!

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/masterslider/master-slider-pro-3712-authenticated-contributor-stored-cross-site-scripting

For what it’s worth, I had Cursor review the Wordfence message and the plugin file,s and it provided this insight and update. If you update the includes/msp-shortcodes.php plugin file, you likely will be safe until they come up with an update. Assuming they don’t completely abandon the plugin.

Summary of the vulnerability

• Issue: In version 3.11.0 of Master Slider (master-slider.php shows Version: 3.11.0), the ms_slider shortcode accepts many attributes that are later interpolated directly into an inline <script> block in includes/msp-shortcodes.php without proper sanitization and escaping.
• Impact: A contributor-level user can create or edit a post and insert a malicious shortcode like [ms_slider id=”1″ layout=”…JS payload…”]. Because several attributes (layout, direction, fill_mode, view, parallax_mode, Flickr/Facebook parameters) were injected into JavaScript without esc_js() and only weak/no validation, this could break out of strings and run arbitrary JavaScript in visitors’ browsers.
• Classification: This matches Wordfence’s description of authenticated stored XSS due to insufficient input sanitization and output escaping 1.

What I changed to harden the pluginAll changes are in includes/msp-shortcodes.php inside msp_masterslider_wrapper_shortcode.1. Sanitize and validate shortcode attributesRight after the shortcode attributes are merged and extracted:

$mixed = shortcode_atts( /* … defaults … */, $atts , ‘ms_slider’ );

extract( $mixed );

<canvas width=”0″ height=”48″></canvas><canvas width=”0″ height=”48″></canvas>I added a sanitization block that:

• Normalizes scalar values:

$id = absint( $id );

<canvas width=”0″ height=”30″></canvas><canvas width=”0″ height=”30″></canvas>

• Whitelists layout/JS mode options to known-good values:

$layout        = in_array( $layout, array( ‘boxed’, ‘fullwidth’, ‘partialview’, ‘fillwidth’ ), true ) ? $layout : ‘fillwidth’;

$direction     = in_array( $direction, array( ‘h’, ‘v’ ), true ) ? $direction : ‘h’;

$fill_mode     = in_array( $fill_mode, array( ‘fill’, ‘fit’, ‘stretch’, ‘center’, ’tile’, ‘fillrepeat’, ‘none’ ), true ) ? $fill_mode : ‘fill’;

$layers_mode   = in_array( $layers_mode, array( ‘center’, ‘full’ ), true ) ? $layers_mode : ‘center’;

$parallax_mode = in_array( $parallax_mode, array( ‘swipe’, ‘mouse’, ‘scroll’, ‘off’ ), true ) ? $parallax_mode : ‘swipe’;

$view          = preg_replace( ‘/[^a-z0-9_-]/i’, ”, $view );

$slider_type   = in_array( $slider_type, array( ‘custom’, ‘flickr’, ‘facebook’, ‘post’ ), true ) ? $slider_type : ‘custom’;

<canvas width=”0″ height=”148″></canvas><canvas width=”0″ height=”148″></canvas>

• Sanitizes external source configuration used inside JS:

$flickr_key        = sanitize_text_field( $flickr_key );

$flickr_id         = sanitize_text_field( $flickr_id );

$flickr_type       = sanitize_text_field( $flickr_type );

$flickr_size       = sanitize_text_field( $flickr_size );

$flickr_thumb_size = sanitize_text_field( $flickr_thumb_size );

$facebook_username   = sanitize_text_field( $facebook_username );

$facebook_albumid    = sanitize_text_field( $facebook_albumid );

$facebook_type       = sanitize_text_field( $facebook_type );

$facebook_size       = sanitize_text_field( $facebook_size );

$facebook_thumb_size = sanitize_text_field( $facebook_thumb_size );

<canvas width=”0″ height=”210″></canvas><canvas width=”0″ height=”210″></canvas>This ensures even if a contributor passes hostile shortcode attributes, they’re reduced to safe, expected formats before any output.2. Properly escape values embedded into JavaScriptInside the inline script where the slider instance is configured, I updated string injections to use esc_js():

• Slider setup options:

layout     : “<?php echo esc_js( $layout ); ?>”,

fillMode   : “<?php echo esc_js( $fill_mode ); ?>”,

layersMode : “<?php echo esc_js( $layers_mode ); ?>”,

dir        : “<?php echo esc_js( $direction ); ?>”,

view       : “<?php echo esc_js( $view ); ?>”,

<canvas width=”0″ height=”102″></canvas><canvas width=”0″ height=”102″></canvas>

• Parallax mode:

<?php if ( ‘off’ != $parallax_mode ) {

    echo “\t\t\t\t\t\tparallaxMode    : ‘” . esc_js( $parallax_mode ) . “‘,\n”;

} ?>

<canvas width=”0″ height=”66″></canvas><canvas width=”0″ height=”66″></canvas>These changes stop JavaScript string breakouts via attributes like layout, direction, view, or parallax_mode.3. Escape Flickr and Facebook JS configurationThe code that instantiates external-source controls previously embedded raw attributes in JS:

// OLD (vulnerable)

printf(

  “new MSFlickrV2( %s, { key:’%s’, id:’%s’, count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,

  $instance_name, $flickr_key, $flickr_id, $flickr_count, $flickr_thumb_size, $flickr_size, $flickr_type

);

$facebook_username_prop = empty( $facebook_username ) ? ” : sprintf( “username:’%s’, ” , $facebook_username );

$facebook_albumid_prop  = empty( $facebook_albumid  ) ? ” : sprintf( “albumId :’%s’, ” , $facebook_albumid  );

printf(

  “new MSFacebookGallery( %s, { %s %s count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,

  $instance_name, $facebook_username_prop, $facebook_albumid_prop, $facebook_count, $facebook_thumb_size, $facebook_size, $facebook_type

);

<canvas width=”0″ height=”256″></canvas><canvas width=”0″ height=”256″></canvas>Now they are escaped and cast safely:

// NEW

if ( ‘flickr’ == $slider_type ) {

    printf(

        “new MSFlickrV2( %s, { key:’%s’, id:’%s’, count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,

        $instance_name,

        esc_js( $flickr_key ),

        esc_js( $flickr_id ),

        (int) $flickr_count,

        esc_js( $flickr_thumb_size ),

        esc_js( $flickr_size ),

        esc_js( $flickr_type )

    );

}

if ( ‘facebook’ == $slider_type ) {

    $facebook_username_prop = empty( $facebook_username )

        ? ”

        : sprintf( “username:’%s’, ” , esc_js( $facebook_username ) );

    $facebook_albumid_prop  = empty( $facebook_albumid )

        ? ”

        : sprintf( “albumId :’%s’, ” , esc_js( $facebook_albumid ) );

    printf(

        “new MSFacebookGallery( %s, { %s %s count:%d, thumbSize:’%s’,imgSize:’%s’, type:’%s’ });”,

        $instance_name,

        $facebook_username_prop,

        $facebook_albumid_prop,

        (int) $facebook_count,

        esc_js( $facebook_thumb_size ),

        esc_js( $facebook_size ),

        esc_js( $facebook_type )

    );

This prevents a malicious shortcode from injecting JavaScript via Flickr/ Facebook configuration.Result

• The vulnerable paths identified by Wordfence (shortcode attributes ending up in inline JS) are now both:
• Sanitized (normalized and cleaned before use), and
• Escaped with esc_js() at the point of output.
• This blocks a contributor from using a crafted shortcode to inject arbitrary JavaScript into the front-end, addressing the stored XSS described in the advisory.
• Lint checks on msp-shortcodes.php pass with no new errors.