The plugin does not sanitise and escape Projectβs slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Proof of Concept (PoC): ======================= 1.) The stored XSS is done in the template slug of any slider, a javascript payload is added to the SLUG input, which stores the malicious script executing the payload during the reopening of the template or when accessing different functions of the slider. 2.) The vulnerability also allows loading a configuration file (settings.json) with the malicious payload allowing it to be executed within the Slider edition. ## POC1: via (slug slider) 1.) Add new project & Put Name 2.) Create Blank Project 3.) Project Settings & Tab Publish 4.) Add malicious code in the SLUG: β> 5.) Exit 6.) Save Project 7.) XSS will trigger when accessing the project again for example (there seem to be other place when its triggered as well, like in the Projectβs settings) ## POC2 via (file,json) 1.) Add new post & Create Blank Project 2.) Import Projects 3.) Load file.json {βpropertiesβ:{βsliderVersionβ:β7.xβ,βtitleβ:βVia Jsonβ,βslugβ:β">'>β,βstatusβ:true,βschedule_startβ:ββ,βschedule_endβ:ββ,βtypeβ:βresponsiveβ,βpopupFitWidthβ:ββ,βpopupFitHeightβ:ββ,βpopupPositionHorizontalβ:βcenterβ,βpopupPositionVerticalβ:βmiddleβ,βpopupWidthβ:β640β,βpopupHeightβ:β360β,βpopupDistanceTopβ:β10β,βpopupDistanceRightβ:β10β,βpopupDistanceBottomβ:β10β,βpopupDistanceLeftβ:β10β,βpopupShowOnTimeoutβ:ββ,βpopupShowOnIdleβ:ββ,βpopupShowOnScrollβ:ββ,βpopupShowOnClickβ:ββ,βpopupCloseOnTimeoutβ:ββ,βpopupCloseOnScrollβ:ββ,βpopup_repeatβ:true,βpopup_repeat_daysβ:ββ,βpopupShowOnceβ:true,βpopup_pages_customβ:ββ,βpopup_pages_excludeβ:ββ,βpopup_roles_administratorβ:true,βpopup_roles_editorβ:true,βpopup_roles_authorβ:true,βpopup_roles_contributorβ:true,βpopup_roles_subscriberβ:true,βpopup_roles_customerβ:true,βpopup_roles_visitorβ:true,βpopupTransitionInβ:βfadeβ,βpopupDurationInβ:β1000β,βpopupDelayInβ:β200β,βpopupTransitionOutβ:βfadeβ,βpopupDurationOutβ:β500β,βpopupResetOnCloseβ:βslideβ,βpopupShowCloseButtonβ:true,βpopupCloseButtonStyleβ:ββ,βpopupOverlayClickToCloseβ:true,βpopupOverlayBackgroundβ:βrgba(0,0,0,.85)β,βpopupOverlayTransitionInβ:βfadeβ,βpopupOverlayDurationInβ:β400β,βpopupOverlayTransitionOutβ:βfadeβ,βpopupOverlayDurationOutβ:β400β,βwidthβ:1280,βheightβ:720,βmaxwidthβ:ββ,βresponsiveunderβ:ββ,βfullSizeModeβ:βnormalβ,βfitScreenWidthβ:true,βallowFullscreenβ:true,βmaxRatioβ:ββ,βinsertMethodβ:βprependToβ,βinsertSelectorβ:ββ,βclipSlideTransitionβ:βdisabledβ,βpreventSliderClipβ:true,βhideunderβ:ββ,βhideoverβ:ββ,βslideOnSwipeβ:true,βoptimizeForMobileβ:true,βfirstlayerβ:β1β,βautostartβ:true,βstartinviewportβ:true,βpauseonhoverβ:βdisabledβ,βkeybnavβ:true,βtouchnavβ:true,βplayByScrollSpeedβ:β1β,βloopsβ:β0β,βforceloopnumβ:true,βskinβ:βv6β,βsliderfadeindurationβ:β350β,βsliderclassβ:ββ,βsliderstyleβ:βmargin-bottom: 0px;β,βbackgroundcolorβ:ββ,βglobalBGRepeatβ:βno-repeatβ,βglobalBGAttachmentβ:βscrollβ,βglobalBGPositionβ:β50% 50%β,βglobalBGSizeβ:βautoβ,βnavprevnextβ:true,βnavstartstopβ:true,βnavbuttonsβ:true,βhoverprevnextβ:true,βcircletimerβ:true,βthumb_navβ:βhoverβ,βthumb_container_widthβ:β60%β,βthumb_widthβ:β100β,βthumb_heightβ:β60β,βthumb_active_opacityβ:β35β,βthumb_inactive_opacityβ:β100β,βautoplayvideosβ:true,βrememberUnmuteStateβ:true,βautopauseslideshowβ:βautoβ,βyoutubepreviewβ:βmaxresdefault.jpgβ,βslideBGSizeβ:βcoverβ,βslideBGPositionβ:β50% 50%β,βparallaxSensitivityβ:β10β,βparallaxCenterLayersβ:βcenterβ,βparallaxCenterDegreeβ:β40β,βforceLayersOutDurationβ:β750β,βuseSrcsetβ:βinheritβ,βenhancedLazyLoadβ:βinheritβ,βpreferBlendModeβ:βdisabledβ,βcreatedWithβ:β7.0.7β},βlayersβ:[{βpropertiesβ:{βpost_offsetβ:-1,β3d_transitionsβ:ββ,β2d_transitionsβ:ββ,βcustom_3d_transitionsβ:ββ,βcustom_2d_transitionsβ:ββ,βbgcolorβ:ββ,βbgpositionβ:βinheritβ,βbgsizeβ:βinheritβ,βslidedelayβ:ββ,βtimeshiftβ:0,βtransitiondurationβ:ββ,βkenburnszoomβ:βdisabledβ,βkenburnsscaleβ:1.2,βkenburnsrotateβ:ββ,βglobalhoverβ:false,βparallaxtypeβ:β2dβ,βparallaxeventβ:βcursorβ,βparallaxaxisβ:βbothβ,βparallaxdistanceβ:10,βparallaxrotateβ:10,βparallaxdurationmoveβ:1500,βparallaxdurationleaveβ:1200,βparallaxtransformoriginβ:β50% 50% 0β,βparallaxtransformperspectiveβ:500,βlayer_linkβ:ββ,βlinkIdβ:ββ,βlinkNameβ:ββ,βlinkTypeβ:ββ,βlayer_link_targetβ:β_self",βlayer_link_typeβ:βoverβ,βdeeplinkβ:ββ,βoverflowβ:false,βcustomPropertiesβ:[],βpost_contentβ:false,βschedule_startβ:ββ,βschedule_endβ:ββ},βsublayersβ:[],βmetaβ:{βundoStackIndexβ:-1},βhistoryβ:[]}]}
CPE | Name | Operator | Version |
---|---|---|---|
layerslider | lt | 7.1.2 |