Custom Post Carousels with Owl WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Custom Post Carousels with Owl WordPress plugin, affecting versions prior to 1.4.12. The issue arises because the plugin uses the featherlight library and the data-featherlight attribute without proper sanitization. This vulnerability allows an attacker to inject malicious JavaScript that is executed when the link is clicked.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an admin must first create a new carousel using the Custom Post Carousels with Owl plugin. After selecting 'Media' as the post type and enabling the 'Open in Lightbox' option, a contributor can create a new post. The post should include a link with a data-featherlight attribute containing unsanitized HTML, such as an image tag with an onerror event. When another user clicks the link, the injected JavaScript is executed.

Remediation

Users are advised to update the Custom Post Carousels with Owl WordPress plugin to version 1.4.12 or later.