Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting

The plugin does not validate and escape the “Logo Margin” carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

PoC

1. Make a new carousel (/wp-admin/post-new.php?post_type=sp_lc_shortcodes) 2) Set “Logo Margin” of the Style Setting to the payload below. While the input is for number, it can be changed to type=text and the plugin does not validate the value. ’ style=‘animation-name:twentytwentyone-close-button-transition’ onanimationend='alert(/XSS/)// 3) Add the carousel (either published or draft) to a post using the shortcode, which will trigger the XSS when viewing/previewing the post