Headline
CVE-2021-4424: Changeset 2548890 for slider-hero/trunk/qcld-slider-main.php – WordPress Plugin Repository
The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possible for unauthenticated attackers to duplicate slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
slider-hero/trunk/qcld-slider-main.php
r2474844
r2548890
4
4
\* Plugin URI: https://wordpress.org/plugins/slider-hero
5
5
\* Description: Slider Hero is a Unique Hero Slider Plugin with Background Animation Effects, Video Background & Intro Builder. Animation Slider Carousels, INCREDIBLE Adverts. Animated Header with Text Carousel.
6
\* Version: 8.2.0
6
\* Version: 8.2.1
7
7
\* Author: QuantumCloud
8
8
\* Author URI: https://www.quantumcloud.com/
9
9
\* Requires at least: 4.6
10
\* Tested up to: 5.6
10
\* Tested up to: 5.7
11
11
\*/
12
12
…
…
177
177
) );
178
178
if(isset($\_GET\['task'\]) && $\_GET\['task'\]=='editslider' && $\_GET\['id'\]!=''){
179
$slider\_row = $wpdb->get\_results( $wpdb->prepare( "SELECT \* FROM $table WHERE id = %d", intval($\_GET\['id'\]) ) );
179
$slider\_row = $wpdb->get\_results( $wpdb->prepare( "SELECT \* FROM $table WHERE id = %d", $\_GET\['id'\] ) );
180
180
181
181
wp\_localize\_script( 'qcld\_sliderhero\_add\_slide\_popups', 'heroslider', array(
…
…
232
232
$ajax\_object\['removeImageNonce'\] = wp\_create\_nonce('qchero\_remove\_image\_'.$id);
233
233
$ajax\_object\['onImageNonce'\] = wp\_create\_nonce('qchero\_on\_image\_'.$id);
234
$ajax\_object\['emptyNameAlert'\] = esc\_html\_\_("Fill in the name before saving the slider.","qchero");
235
$ajax\_object\['noImageAlert'\] = esc\_html\_\_("Firstly add slides in your slider!","qchero");
234
$ajax\_object\['emptyNameAlert'\] = \_\_("Fill in the name before saving the slider.","qchero");
235
$ajax\_object\['noImageAlert'\] = \_\_("Firstly add slides in your slider!","qchero");
236
236
}
237
237
wp\_localize\_script( 'qcld\_sliderhero\_ajax', 'qchero\_ajax\_object',$ajax\_object);
…
…
273
273
if(isset($\_GET\['task'\]) && $\_GET\['task'\] == 'heroduplicateslider'){
274
274
$id = absint($\_GET\['id'\]);
275
if ( isset( $\_REQUEST\['slider\_hero\_duplicate\_nonce'\] ) ) {
276
if ( ! wp\_verify\_nonce( $\_REQUEST\['slider\_hero\_duplicate\_nonce'\], 'slider\_hero\_duplicateslider\_' . $id ) ) {
277
die( \_\_( 'Security check failed', 'reslide' ) );
278
}
279
}
275
276
if ( ! wp\_verify\_nonce( $\_REQUEST\['slider\_hero\_duplicate\_nonce'\], 'slider\_hero\_duplicateslider\_' . $id ) ) {
277
die( \_\_( 'Security check failed', 'reslide' ) );
278
}
279
280
280
$table = QCLD\_TABLE\_SLIDERS;
281
281
$query = $wpdb->prepare( "SELECT \* FROM " . $table . " WHERE id=%d", $id );