Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
Proof of Concept
1) Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes)
2) Set "Logo Margin" of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value.
' style='animation-name:twentytwentyone-close-button-transition' onanimationend='alert(/XSS/)//
3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post