In a recent discovery, the popular WordPress plugin Slider by 10Web has been identified as harboring a critical security vulnerability. This flaw, cataloged under CVE-2024-6408, poses a substantial threat to website integrity and user security by enabling Stored Cross-Site Scripting (XSS) attacks.
| CVE | CVE-2024-6408 |
| Plugin | Slider by 10Web < 1.2.57 |
| Critical | High |
| All Time | 2 276 000 |
| Active installations | 20 000+ |
| Publicly Published | July 15, 2024 |
| Last Updated | July 15, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6408 https://wpscan.com/vulnerability/31aaeffb-a752-4941-9d0f-1b374fbc7abb/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 13, 2024 | Plugin testing and vulnerability detection in the Slider by 10Web have been completed |
| June 13, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 15, 2024 | Registered CVE-2024-6408 |
Discovery of the Vulnerability
The vulnerability was uncovered during routine security testing focused on strengthening the resilience of WordPress plugins against unauthorized code execution. The specific issue lies within the “Title” field of the Slider Configurator, where unescaped input allows malicious scripts to be saved and executed.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities exploit the trust a user has for a particular site. In WordPress, such threats often arise due to inadequate sanitization of user inputs. Real-world examples include manipulating session tokens, hijacking accounts, or redirecting visitors to malicious sites, all of which can result in significant damage.
Exploiting the Stored XSS Vulnerability
The exploit involves inserting a malicious script into the “Title” field of a new slider created via the Slider by 10Web plugin. When this infected slider is viewed by any user, the script executes, potentially compromising the user’s session or escalating privileges within the WordPress site.
POC:
12123123″ onmouseover=alert(1)// -> to the “Title” field in Slider Configurator
____
The impact of this vulnerability can be vast, ranging from theft of confidential information to complete administrative control over the WordPress site. In environments where sliders are frequently used for content presentation, the risk is amplified, affecting a large user base.
Recommendations for Improved Security
To mitigate this threat, it is crucial to immediately update the Slider by 10Web plugin to the latest version, which patches this vulnerability. Additionally, administrators should conduct thorough audits of user roles and permissions, ensuring that only trusted users have the ability to modify slider settings.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6408, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
