The Slider Revolution plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input in the Add Layer widget. Specifically, the plugin fails to adequately sanitize and escape the 'class', 'id', and 'title' attributes supplied by users, enabling authenticated users with author-level privileges and granted Slider Creation rights to inject malicious scripts. These scripts execute in the context of any user who accesses the compromised page. The vulnerability affects all versions up to and including 6.7.11. Exploitation requires elevated privileges and administrative configuration to grant necessary rights. The CVSS 3.1 base score is 6.4 (medium severity), with network attack vector, low attack complexity, privileges required at the author level, no user interaction, and impacts confidentiality and integrity but not availability.

An attacker with author-level access and granted Slider Creation privileges can inject persistent malicious scripts into pages via the Add Layer widget. These scripts execute in the browsers of users who view the affected pages, potentially leading to unauthorized actions or data disclosure within the context of the affected site. The impact affects confidentiality and integrity but does not affect availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid granting Slider Creation privileges to author-level users and limit plugin usage to trusted users only. Monitoring for suspicious activity related to the Add Layer widget is advisable. Follow vendor communications for updates on patches or official mitigations.