WordPress Plugin Vulnerabilities

Thumbnail Carousel Slider < 1.0.1 - Stored Cross-Site Scripting (XSS) & CSRF

Description

The original advisory states that this vulnerability is exploitable with editor and author roles but this is incorrect. Only the administrator role by default can trigger this vulnerability.

However, CSRF on the image upload form makes this exploitable by a malicious actor.

Affects Plugins

Plugin icon
wp-responsive-thumbnail-slider
Fixed in 1.0.1

References

URL
https://cxsecurity.com/issue/WLB-2015080167

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.2 (high)

Miscellaneous

Submitter
Arash Khazaei
Submitter twitter
0xClay
Verified
Yes
WPVDB ID
ab7ac7d5-a68d-4af7-a38a-65aa940337f1

Timeline

Publicly Published
2015-08-28 (about 8 years ago)
Added
2015-09-02 (about 8 years ago)
Last Updated
2020-12-28 (about 3 years ago)

Other

Published
Title
Published
2016-03-17
Title
Bulletproof Security <= .53.2 - Multiple Cross Site Scripting Vulnerabilities
Published
2023-04-19
Title
WP Cerber Security < 9.2 - Unauthenticated Stored XSS
Published
2021-10-19
Title
Logo Showcase with Slick Slider < 1.2.4 - Author+ Stored Cross Site Scripting
Published
2020-09-09
Title
Sticky Menu, Sticky Header (or anything!) on Scroll < 2.21 - CSRF & XSS
Published
2023-03-17
Title
Open RDW kenteken voertuiginformatie < 2.1.0 - Reflected XSS