Logo Slider is a WordPress plugin used to create image carousels and sliders, often utilized by businesses and websites to showcase logos, brands, or featured partners. A critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12308, has been identified in the plugin, which allows a contributor-level user to inject malicious JavaScript into the “Logo Slider” settings. The vulnerability allows the injected script to execute when a user hovers over the carousel. This action can result in admin account creation, providing the attacker with full control over the site. With over 20,000 active installations, this vulnerability poses a serious risk to WordPress websites using the Logo Slider plugin.
| CVE | CVE-2024-12308 |
| Plugin | Logo Slider < 4.6.0 |
| Critical | High |
| All Time | 455 234 |
| Active installations | 20 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12308/ https://wpscan.com/vulnerability/fa82ada7-357b-4f01-a0d6-ff633b188a80/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 29, 2024 | Plugin testing and vulnerability detection in the Logo Slider have been completed |
| November 29, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-12308 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Logo Slider plugin. It was found that the plugin fails to properly sanitize user input in certain fields within the plugin’s settings. Specifically, the “5Blgx_carousel_transition_speed” field, used for setting the speed of the carousel’s transition, is vulnerable to JavaScript injection. This flaw allows a contributor, who typically has limited access, to inject JavaScript code. This malicious script is stored in the WordPress database and executed when the affected carousel is viewed on the frontend, allowing an attacker to trigger actions like session hijacking or account creation. The vulnerability stems from a lack of input validation in the plugin’s settings form.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability that occurs when an attacker is able to inject malicious JavaScript into a webpage. When executed, this script can perform a variety of malicious actions, such as stealing session cookies, redirecting users to malicious websites, or hijacking user accounts. XSS vulnerabilities are common in WordPress plugins, particularly in those that allow user input or admin-defined settings without proper sanitization. A real-world example of XSS was seen in the WPForms plugin, where attackers could inject JavaScript into form fields to steal sensitive information. CVE-2024-12308 follows a similar pattern in the Logo Slider plugin, where a contributor can inject JavaScript into the plugin’s settings, later executing the script on the frontend when interacting with the carousel.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12308, an attacker with contributor-level privileges:
POC:
1) Create a new Logo Slider shortcode with test name. 2) Intercept update request and change "lgx_carousel_transition_speed" field to Malicious JS payload 3) Put shortcode inside new post. Hover on carousel____
The potential risks associated with CVE-2024-12308 are significant. If successfully exploited, an attacker could hijack the session of an administrator or any user with elevated privileges. This could lead to unauthorized access to sensitive data, modification of site content, installation of malicious plugins, or defacement of the site. In a real-world scenario, an attacker could create a backdoor admin account, allowing persistent access to the site even after the vulnerability is patched. This is particularly concerning for sites that handle sensitive user information, such as e-commerce or membership websites, as exploitation of this vulnerability could result in data breaches and financial losses. Additionally, the attacker could install further malicious code or compromise other connected systems, leading to broader exploitation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12308, administrators should immediately update the Logo Slider plugin to the latest patched version once a fix is available. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially contributors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all user input fields that affect frontend content, such as the “5Blgx_carousel_transition_speed” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12308, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
