WordPress plugins often enhance website functionality, but occasionally harbor hidden vulnerabilities that compromise security. CVE-2024-1712 exposes such a flaw in Carousel Slider, enabling Stored XSS attacks with the potential to create JavaScript backdoors, imperiling website integrity (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVECVE-2024-1712
PluginCarousel Slider < 2.2.7
CriticalHigh
All Time881 451
Active installations40 000+
Publicly PublishedMarch 25, 2023
Last UpdatedMarch 25, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1712
https://wpscan.com/vulnerability/23805a61-9fcd-4744-a60d-05c8cb43ee01/
Plugin Security Certification by CleanTalk

Timeline

February 07, 2023Plugin testing and vulnerability detection in the Carousel Slider plugin have been completed
February 07, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 25, 2024Registered CVE-2024-1712

Discovery of the Vulnerability

During routine plugin testing, security researchers unearthed a critical vulnerability in Carousel Slider. This flaw permits attackers to execute Stored XSS attacks by embedding malicious scripts via the plugin’s functionality, posing a severe threat to website security.

Understanding of Stored XSS attack’s

Stored XSS vulnerabilities in WordPress allow attackers to inject malicious scripts into a website’s database. When unsuspecting users access the compromised content, these scripts execute, potentially leading to the creation of JavaScript backdoors, data theft, or site defacement.

Exploiting the Stored XSS Vulnerability

To exploit CVE-2024-1712, attackers craft a new slider within Carousel Slider and insert malicious code into the “Slides Per View” field. This enables the execution of arbitrary JavaScript, paving the way for the creation of backdoors and compromising website security.

POC:

You should create new slider and put (1212″asd=” onmouseover=’Malicious_Function_Here‘) to “Slides Per View” field

___

The ramifications of CVE-2024-1712 extend beyond mere XSS attacks. Malicious actors can exploit this vulnerability to create JavaScript backdoors, granting them unauthorized access to the website. In scenarios where attackers have previously compromised administrator or editor accounts, the risk of backdoor creation heightens, posing significant threats to website integrity.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-1712, website owners should promptly update Carousel Slider to the latest patched version. Additionally, implementing robust security measures such as regular security audits, access control restrictions, and the use of security plugins can bolster website defenses against XSS attacks and prevent the creation of JavaScript backdoors. Stay vigilant and prioritize website security to safeguard against potential threats.

Stay vigilant and proactive in safeguarding your WordPress site against emerging threats like CVE-2024-1712. Your website’s security is paramount, so take action now to prevent potential exploitation.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-1712 – Carousel Slider – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *