PT-2022-9454 · WordPress · The Logo Showcase With Slick Slider
Apple502J
·
Published
2022-02-28
·
Updated
2022-11-09
·
CVE-2021-24730
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Logo Showcase with Slick Slider WordPress plugin versions prior to 1.2.5
Description
The issue concerns a lack of CSRF and authorization checks in the
lswss save attachment data AJAX action. This allows any authenticated user to modify title, description, alt text, and URL of arbitrary uploaded media.Recommendations
For versions prior to 1.2.5, update to version 1.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the
lswss save attachment data AJAX action to prevent unauthorized changes to media uploads.Exploit
Fix
Missing Authorization
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
The Logo Showcase With Slick Slider