Logo Showcase with Slick Slider < 1.2.4 – Author+ Stored Cross Site Scripting | CVE 2021-24729 | Plugin Vulnerabilities

Description

The plugin does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase.

Proof of Concept

1) Create a Logo Showcase
2) Set display type to Logo Grid
3) Set number of grid to 1" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//
NOTE: the 1 is important to avoid zero division error.
NOTE: there are Javascript protections which can be mitigated by intercepting the HTTP request in a tool like OWASP ZAP or Burp.
4) Add the showcase to a post using shortcode

Affects Plugins

logo-showcase-with-slick-slider

Fixed in 1.2.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

5d70818e-730d-40c9-a2db-652052a5fd5c

Timeline

Publicly Published

2021-10-19 (about 4 years ago)

Added

2021-10-19 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2025-08-02

Title

WeMusic < 1.9.2 - Reflected Cross-Site Scripting

Published

2022-06-21

Title

Import CSV Files <= 1.0 - Reflected Cross-Site Scripting

Published

2024-04-15

Title

Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ Stored XSS via Custom JS

Published

2023-08-23

Title

Leyka < 3.30.4 - Admin+ Stored XSS

Published

2025-01-03

Title

Highlight < 2.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting