Lucene search

K
wpexploitApple502jWPEX-ID:2C3D8C21-ECD4-41BA-8183-2ECBD9A3DF25
HistoryNov 22, 2021 - 12:00 a.m.

Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting

2021-11-2200:00:00
apple502j
85

0.001 Low

EPSS

Percentile

24.8%

The plugin does not validate and escape the “Logo Margin” carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

1) Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes)
2) Set "Logo Margin" of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value.

' style='animation-name:twentytwentyone-close-button-transition' onanimationend='alert(/XSS/)//

3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post

0.001 Low

EPSS

Percentile

24.8%

Related for WPEX-ID:2C3D8C21-ECD4-41BA-8183-2ECBD9A3DF25