CVE-2024-0611 — Master Slider – Responsive Touch Slider < 3.9.5 Editor+ Stored Cross-Site Scritpting via Slider Callback

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slides callback functionality in all versions up to, and including, 3.9.5. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

This plugin provides a feature to customize Slider Callbacks via script (javascript). I know that the admin could just enter alert(\\xss\\) and this report would not be in scope. However, this plugin requires certain conditions that trigger this script, such as “On slider Init” or “On Youtube/Vimeo video close”.

Proof of Concepts

  1. Go to the plugin page (/wp-admin/admin.php?page=master-slider) then create a new slider.
  2. Open the Slider that you have created then go to the Slider Callbacks tab
  3. Click “Add new callback” with any conditions (ex: On Youtube/Vimeo video close), then enter the XSS payload.
    function(event){
     var api = event.target;
     </script><img src onerror=alert(/XSS/)>
    }
    
  4. Create a new Post using the shortcode for the slider that has been created

If we directly use alert(\xss\), the XSS payload will not be triggered because it does not meet the required conditions. However, we bypass this condition using the closing script (</script>).

Impact

This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.