← back
CVE-2021-24730

Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update

EPSS 0.3%CWE-352CWE-862
The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.
Affected products
Unknown · Logo Showcase with Slick Slider – Logo Carousel, Logo Slider & Logo Grid

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/d5534ff9-c4af-46b7-8852-0f3dfd644855