WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

1) Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes)
2) Set "Logo Margin" of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value.

' style='animation-name:twentytwentyone-close-button-transition' onanimationend='alert(/XSS/)//

3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post

Affects Plugins

logo-carousel-free
Fixed in version 3.4.2

References

CVE
CVE-2021-24738

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
2c3d8c21-ecd4-41ba-8183-2ecbd9a3df25

Timeline

Publicly Published

2021-11-22 (about 7 months ago)

Added

2021-11-22 (about 7 months ago)

Last Updated

2022-04-11 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin