WordPress Plugin Vulnerabilities
Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting
Description
The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
Proof of Concept
1) Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes) 2) Set "Logo Margin" of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value. ' style='animation-name:twentytwentyone-close-button-transition' onanimationend='alert(/XSS/)// 3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-22 (about 2 years ago)
Added
2021-11-22 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)