Logo Carousel < 3.4.2 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24738 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

1) Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes)
2) Set "Logo Margin" of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value.

' style='animation-name:twentytwentyone-close-button-transition' onanimationend='alert(/XSS/)//

3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post

Affects Plugins

logo-carousel-free

Fixed in 3.4.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

2c3d8c21-ecd4-41ba-8183-2ecbd9a3df25

Timeline

Publicly Published

2021-11-22 (about 2 years ago)

Added

2021-11-22 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2022-06-08

Title

Gallery Bank <= 4.0.50 - Author+ Stored XSS via Media Upload Module

Published

2024-02-29

Title

Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget

Published

2020-08-31

Title

Chamber Dashboard Business Directory < 3.3.1 - Authenticated Stored Cross-Site Scripting

Published

2023-05-04

Title

Multi Rating <= 5.0.6 - Admin+ Stored XSS

Published

2014-08-01

Title

LeagueManager <= 3.7 - wp-admin/admin.php Multiple Parameter XSS