Document Title: =============== WP Master Slider v3.5.1 - Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2158 Reference: https://wordpress.org/support/?post_type=topic&p=10874555 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20368 CVE-ID: ======= CVE-2018-20368 Release Date: ============= 2018-11-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2158 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Master Slider WordPress slider plugin is a premium image and content slider with super smooth hardware accelerated transitions. It supports touch navigation with pure swipe gesture, that you have never experienced before. Master Slider is a truly responsive and device friendly slider which works perfectly on all major devices. Master Slider plugin is an well done layer slider as well, with the ability to add any HTML contents (texts, images, …) in layers. It is easy to use, plus there are 80+ ready to use sample sliders for you. You have almost everything such as hotspots, thumbnails, video support, a variety of effects, and many more features in this plugin. Master Slider WordPress slider is the most complete among the best sliders. (Copy of the Homepage: https://wordpress.org/plugins/master-slider ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the official Master Slider v3.5.1 wordpress plugin. Vulnerability Disclosure Timeline: ================================== 2018-11-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Averta Ltd Product: Master Slider - Wordpress Plugin 3.2.7 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A persistent cross site web vulnerability has been discovered in the official Master Slider v3.5.1 wordpress plugin. The vulnerability allows to inject unauthorized malicious script codes on the application-side of the affected module. The persistent cross site scripting web vulnerability is located in the `name` input field of the `MSPanel.Settings` value on `callback`. The injection point of the vulnerability is the input field. The execution point occurs in the master-slider listing page after the insert or edit. The attack vector is located on the application-side and the request method to inject is POST. Exploitation of the issue requires a privileged web-application user account and only low user interaction. Successful exploitation of the application-side vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation affected or connected module context. Proof of Concept (PoC): ======================= The xss vulnerability can be exploited by authenticated remote attackers with low user interaction. For security demonstration or to reproduce the issue follow the provided information or steps below. PoC: Master Slider (Item Listing) IDNameShortcodeSlidesTypZuletzt modifiziert ErstellungsdatumAktion 5 Suche, Sitemap, 404 [masterslider id="5"]4 6 Tagen zurück2018/10/12 duplicate deletepreview8 Wasserwerke [masterslider id="8"]2 6 Tagen zurück 2018/10/12 duplicatedelete preview11 Startseite[masterslider id="11"] 4 6 Tagen zurück2018/10/12 duplicatedelete preview15 test><"%20%20>"