CVE-2026-24626

Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Logo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.9.0
PublishedJanuary 10, 2026
Last updatedJune 28, 2026
Affected pluginlogo-slider-wp
Research Plan
Unverified

This research plan targets **CVE-2026-24626**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider** plugin (slug: `logo-slider-wp`) for WordPress. --- ### 1. Vulnerability Summary The **Logo Slider** plugin (<= 4.9.0) fails to…

Show full research plan

This research plan targets CVE-2026-24626, a Stored Cross-Site Scripting (XSS) vulnerability in the Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider plugin (slug: logo-slider-wp) for WordPress.


1. Vulnerability Summary

The Logo Slider plugin (<= 4.9.0) fails to properly sanitize user-supplied input when saving slider or logo details and fails to escape this data during output. Authenticated users with Author-level permissions or higher can inject malicious JavaScript into fields such as logo titles, descriptions, or slider names. When an administrator or any site visitor views a page where the slider is rendered (via shortcode) or views the settings in the admin dashboard, the script executes in their browser context.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/admin-ajax.php (or standard post.php if using a Custom Post Type).
  • Vulnerable AJAX Action: lswp_save_logo_data or lswp_create_slider (inferred based on plugin functionality).
  • Vulnerable Parameter: logo_title, logo_link, or slider_name (inferred).
  • Authentication Level: Author (Authenticated, PR:L).
  • Preconditions: The plugin must be active. The Author must have access to the Logo Slider menu (granted by the plugin's default capability settings).

3. Code Flow (Inferred)

  1. Entry Point: The user sends a POST request to admin-ajax.php with an action related to saving logos or slider settings.
  2. Handler: A function like lswp_save_logo_callback() (inferred) is triggered.
  3. Processing: The function retrieves input from $_POST['logo_title'].
  4. Insecure Storage: The code calls update_post_meta() or a direct $wpdb query without using sanitize_text_field() on the input.
  5. Vulnerable Sink (Output): When the shortcode [logo-slider] is processed, the plugin calls get_post_meta() and echoes the title directly in the HTML (e.g., inside an alt tag or title attribute) without calling esc_attr() or esc_html().

4. Nonce Acquisition Strategy

To exploit the AJAX endpoint as an Author, a valid security nonce is required.

  1. Identify Script Localization: The plugin likely enqueues an admin script and localizes a nonce.
  2. Creation of Page: If the nonce is only available on the plugin's settings page, the agent will navigate there.
  3. Extraction:
    • Action: Login as Author.
    • Tool: browser_navigate to /wp-admin/admin.php?page=logo-slider-wp.
    • Tool: browser_eval to extract the nonce from the global JavaScript object.
    • Target Variable: window.lswp_vars?.nonce or window.logo_slider_params?.ajax_nonce (inferred).

5. Exploitation Strategy

Step 1: Authentication & Discovery

  1. Login as the Author user.
  2. Navigate to the Logo Slider menu to identify the exact AJAX action and parameter names used for saving logos.
  3. Extract the nonce as described in Section 4.

Step 2: Inject Stored XSS Payload

Send a POST request to save a new logo entry with a malicious title.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=lswp_add_new_logo&
    nonce=[EXTRACTED_NONCE]&
    logo_title=<script>alert(document.domain)</script>&
    logo_link=https://example.com&
    slider_id=1
    
    (Note: Parameter names like lswp_add_new_logo and logo_title are inferred and must be confirmed by the agent via browser_eval or inspecting the admin page source.)

Step 3: Trigger the XSS

  1. Create a public post containing the plugin's shortcode:
    wp post create --post_type=page --post_status=publish --post_title="Gallery" --post_content="[logo-slider id='1']"
    
  2. Navigate to the newly created page as an unauthenticated user or an Administrator.

6. Test Data Setup

  1. User Creation: Ensure an Author user exists.
    wp user create attacker author@example.com --role=author --user_pass=password123
    
  2. Plugin Setup: Create at least one slider container if the plugin requires it before logos can be added.
    # Inferred CPT for sliders
    wp post create --post_type=lswp_slider --post_title="Main Slider" --post_status=publish
    

7. Expected Results

  • Database: The wp_postmeta (or custom table) should contain the raw <script> tag for the logo title.
  • Frontend: When viewing the page with the shortcode, the HTML source should show the unescaped script tag.
  • Browser: An alert box showing the document domain should appear, confirming execution.

8. Verification Steps

  1. Database Check:
    wp db query "SELECT meta_value FROM wp_postmeta WHERE meta_key = 'logo_title' AND meta_value LIKE '%<script>%'"
    
  2. HTTP Response Check:
    Use http_request to fetch the frontend page and grep for the payload:
    # Verification via agent
    # Response body should contain: <script>alert(document.domain)</script>
    

9. Alternative Approaches

  • Attribute Injection: If esc_html() is used but esc_attr() is not, try breaking out of an attribute:
    • Payload: "><script>alert(1)</script>
  • Link Injection: If the logo_link is vulnerable, try a javascript: URI:
    • Payload: javascript:alert(1)
  • CPT Edit: If the plugin uses a standard Custom Post Type (lswp_logos) and the Author has edit_posts capability, try injecting the payload directly into the Post Title via the standard WordPress editor or wp-json/wp/v2/lswp_logos.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Logo Slider plugin for WordPress (<= 4.9.0) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. Authenticated attackers with Author-level access can inject arbitrary JavaScript into slider or logo metadata fields, which executes when any user, including administrators, views the slider or the settings page.

Vulnerable Code

// Inferred from plugin functionality and research plan
// File: likely within the main plugin file or an AJAX handler file

public function lswp_save_logo_data() {
    // ... nonce checks ...
    $logo_id = $_POST['logo_id'];
    $logo_title = $_POST['logo_title']; // Vulnerable: No sanitization before storage
    update_post_meta($logo_id, 'logo_title', $logo_title);
}

---

// File: likely within shortcode rendering logic (e.g., includes/front-end.php)

$title = get_post_meta($post->ID, 'logo_title', true);
echo '<div class="logo-item" title="' . $title . '">'; // Vulnerable: Outputting metadata without escaping

Security Fix

--- a/logo-slider-wp.php
+++ b/logo-slider-wp.php
@@ -10,7 +10,7 @@
-    $logo_title = $_POST['logo_title'];
+    $logo_title = sanitize_text_field($_POST['logo_title']);
     update_post_meta($logo_id, 'logo_title', $logo_title);
 
--- a/includes/front-end.php
+++ b/includes/front-end.php
@@ -50,7 +50,7 @@
-    $title = get_post_meta($post->ID, 'logo_title', true);
-    echo '<div class="logo-item" title="' . $title . '">';
+    $title = get_post_meta($post->ID, 'logo_title', true);
+    echo '<div class="logo-item" title="' . esc_attr($title) . '">';

Exploit Outline

To exploit this vulnerability, an attacker with Author-level permissions first authenticates to the WordPress dashboard. They navigate to the Logo Slider management page to capture a valid security nonce and identify the AJAX action responsible for saving logo data (e.g., lswp_save_logo_data). The attacker then sends a POST request to admin-ajax.php containing the nonce, a valid slider ID, and a malicious payload like '<script>alert(document.domain)</script>' in parameters such as 'logo_title' or 'logo_link'. Once the payload is stored in the database, it will execute in the browser context of any visitor who views a page featuring the plugin's shortcode [logo-slider] or any administrator viewing the logo's settings.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.