Attack Vectors

The All In One Slider WordPress plugin (formerly known as All In One Carousel) is affected by a Medium-severity reflected cross-site scripting (XSS) vulnerability in versions up to and including 1.2.20 (CVSS 6.1, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

This issue can be exploited remotely by an unauthenticated attacker by crafting a link or request that places malicious script content into the “id” parameter. Because it is reflected XSS, the attacker typically needs to trick a user into clicking a link or otherwise loading a crafted URL (for example, via an email, chat message, social post, or a compromised third-party site linking back to your domain).

Source: Wordfence vulnerability advisory. (No CVE identifier is listed in the provided source.)

Security Weakness

The vulnerability is caused by insufficient input sanitization and insufficient output escaping of the “id” parameter. In practical terms, the plugin fails to reliably treat user-controlled data as untrusted before it is displayed back to a browser.

Even though reflected XSS typically requires user interaction, it is still a meaningful business risk because it can be weaponized through believable “review this,” “approve this,” or “your site has an issue” messages sent to employees, vendors, or customers—especially if the request appears to originate from your own website domain.

Technical or Business Impacts

If exploited, a reflected XSS flaw can allow an attacker’s script to run in the victim’s browser in the context of your website. Depending on who clicks (for example, a marketing admin, content manager, or executive assistant with access), the impact can include:

Account and session risk: Attackers may be able to interfere with active sessions, potentially enabling unauthorized actions performed as the victim user (risk varies based on site configuration, browser protections, and user permissions).

Brand and customer trust damage: A successful XSS campaign can redirect users, show fake forms, or display misleading content that appears to be from your organization—creating reputational harm and customer support burden.

Compliance and reporting exposure: If XSS is used as a stepping stone to access personal data or to impersonate users, it can trigger incident response obligations, internal reporting, and potential regulatory scrutiny depending on your industry and geography.

Recommended remediation: Update All In One Slider to version 1.2.21 or a newer patched version as advised by the vendor/community source.

Similar Attacks

Reflected and stored XSS vulnerabilities have been used in real-world attacks to spread quickly and to impact brand trust:

The “Samy” MySpace worm (XSS-driven propagation across social profiles).
The 2010 Twitter onMouseOver “worm” (XSS-related event that spread through user interaction).
Notable XSS vulnerabilities (overview) (background on how XSS has affected major platforms).