CSRF and stored XSS in WordPress Content Slide allow an attacker to have full admin privileges


Last revised:

An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript:

A CSRF vulnerability allows an attacker to change any option in the plugin. The plugin does not escape content when put into HTML so the attacker can then use JavaScript to perform almost any action an admin can take (including creating new users, executing arbitrary php through the theme editor or exploiting vulnerabilities in WordPress or other plugins which normally require the user to be authenticated as an admin).

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

While logged into a site with the plugin enabled open a page containing the following form and click the submit button (in a real attack the form could be made to auto-submit):

<form action="http://localhost/wp-admin/admin.php?page=content-slide/content_slide.php" method="POST">
  <input type="text" name="wpcs_options[no_of_custom_images]" value="1">
  <input type="text" name="wpcs_options[slide_image1]" value="&quot;>&lt;script>alert(1)&lt;/script>">
  <input type="submit">

If using a browser without reflected XSS mitigation (e.g. Chrome) the admin user will see “1” in an alert box, otherwise a refresh of the page is required before the JavaScript is executed.

Advisory timeline

  • 2014-10-08: Discovered
  • 2014-12-16: Reported to vendor via email form at
  • 2014-12-16: Requested CVE
  • 2015-01-07: Vendor responded
  • 2015-01-09: Vendor chased
  • 2015-04-09: Vendor had given assurances that a fix would be available, and was given multiple extensions to do so, but by this point they had stopped responding. Emailed requesting a takedown.
  • 2015-04-16: Confirmed that the plugin is no longer on the directory. Published.

Mitigation/further actions

Disable the plugin until a new version is released that fixes this bug

At the time of publishing no fix is available and the plugin has been removed from the plugin directory