The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.
{"id": "CVE-2021-24544", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24544", "description": "The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.", "published": "2021-10-25T14:15:00", "modified": "2021-10-28T14:39:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.5}, "severity": "LOW", "exploitabilityScore": 6.8, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24544", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/4a2dddfc-6ce2-4edd-aaaa-4c130a9356d0"], "cvelist": ["CVE-2021-24544"], "immutableFields": [], "lastseen": "2022-03-23T14:56:50", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:4A2DDDFC-6CE2-4EDD-AAAA-4C130A9356D0"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:4A2DDDFC-6CE2-4EDD-AAAA-4C130A9356D0"]}], "rev": 4}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:4A2DDDFC-6CE2-4EDD-AAAA-4C130A9356D0"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:4A2DDDFC-6CE2-4EDD-AAAA-4C130A9356D0"]}]}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:motopress:motopress-slider-lite:2.2.0"], "cpe23": ["cpe:2.3:a:motopress:motopress-slider-lite:2.2.0:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "motopress:motopress-slider-lite", "version": "2.2.0", "operator": "le", "name": "motopress motopress-slider-lite"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:motopress:motopress-slider-lite:2.2.0:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.2.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/4a2dddfc-6ce2-4edd-aaaa-4c130a9356d0", "name": "https://wpscan.com/vulnerability/4a2dddfc-6ce2-4edd-aaaa-4c130a9356d0", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"wpexploit": [{"lastseen": "2021-11-26T19:31:00", "description": "The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. Timeline July 19th, 2021 - Details sent to vendor July 21st, 2021 - Vendor working on a patch August 11th, 2021 - Asked for update August 12th, 20121 - Ticket handler will follow up with dev September 21st, 2021 - No update, public disclosure\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-09-21T00:00:00", "type": "wpexploit", "title": "Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24544"], "modified": "2021-09-21T21:29:04", "id": "WPEX-ID:4A2DDDFC-6CE2-4EDD-AAAA-4C130A9356D0", "href": "", "sourceData": "As a subscriber, create a Slider with the following payload in the Slider Title: \"><script>alert(/XSS/)</script>\r\n\r\nThen view the Sliders list or Edit the slider to trigger the XSS\r\n\r\nhttps://www.youtube.com/watch?v=8oHr_PE2eZ8", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2021-11-26T19:31:00", "description": "The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. Timeline July 19th, 2021 - Details sent to vendor July 21st, 2021 - Vendor working on a patch August 11th, 2021 - Asked for update August 12th, 20121 - Ticket handler will follow up with dev September 21st, 2021 - No update, public disclosure\n\n### PoC\n\nAs a subscriber, create a Slider with the following payload in the Slider Title: \"> Then view the Sliders list or Edit the slider to trigger the XSS https://www.youtube.com/watch?v=8oHr_PE2eZ8\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-09-21T00:00:00", "type": "wpvulndb", "title": "Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24544"], "modified": "2021-09-21T21:29:04", "id": "WPVDB-ID:4A2DDDFC-6CE2-4EDD-AAAA-4C130A9356D0", "href": "https://wpscan.com/vulnerability/4a2dddfc-6ce2-4edd-aaaa-4c130a9356d0", "sourceData": "", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}
CVE-2021-24544
