Logo Showcase with Slick Slider WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Logo Showcase with Slick Slider WordPress plugin, affecting versions prior to 1.2.4. The issue arises because the plugin fails to properly sanitize the Grid Settings, allowing users with at least Author role to inject malicious scripts via post metadata. This vulnerability could be exploited to execute harmful scripts when the affected content is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, create a Logo Showcase and set the display type to Logo Grid. Adjust the grid settings to include a JavaScript payload, such as an alert, which can bypass certain JavaScript protections by intercepting the HTTP request with a tool like OWASP ZAP or Burp. After adding the showcase to a post using the shortcode, the injected script will execute when the post is viewed.

Remediation

Users are advised to update the Logo Showcase with Slick Slider WordPress plugin to version 1.2.4 or later.