Logo Carousel < 3.4.2 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24738 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

1) Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes)
2) Set "Logo Margin" of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value.

' style='animation-name:twentytwentyone-close-button-transition' onanimationend='alert(/XSS/)//

3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post

Affects Plugins

logo-carousel-free

Fixed in 3.4.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

2c3d8c21-ecd4-41ba-8183-2ecbd9a3df25

Timeline

Publicly Published

2021-11-22 (about 4 years ago)

Added

2021-11-22 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2023-02-28

Title

WP Repost <= 0.1 - Admin+ Stored XSS

Published

2014-08-01

Title

WP SlimStat 2.8.4 - wp-content/plugins/wp-slimstat/admin/view/panel1.php s Parameter XSS

Published

2025-10-19

Title

Headline Analyzer <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2015-08-10

Title

WP Statistics <= 9.5.1 - Referer Cross-Site Scripting (XSS)

Published

2025-01-16

Title

Mojo Under Construction <= 1.1.2 - Reflected Cross-Site Scripting