CVE-2022-1153: 
WordPress vulnerability analysis and mitigation

The LayerSlider WordPress plugin versions before 7.1.2 contain a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape the Project's slug before outputting it in various places, which could allow high-privilege users such as administrators to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed (WPScan).

The vulnerability exists in the template slug functionality of the slider. When creating or editing a slider project, the SLUG input field does not properly sanitize user input, allowing storage of malicious JavaScript code. The vulnerability can be triggered in two ways: either through direct manipulation of the slider's slug or by importing a malicious configuration file (settings.json). The issue has been assigned a CVSS score of 3.4 (low) and is classified as CWE-79: Cross-Site Scripting (WPScan).

The vulnerability allows authenticated users with high privileges to store and execute malicious JavaScript code. When other users access the affected slider project or its settings, the stored malicious code will be executed in their browser context. This could potentially lead to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been fixed in LayerSlider version 7.1.2. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).