WordPress plugins often enhance website functionality, but occasionally harbor hidden vulnerabilities that compromise security. CVE-2024-1712 exposes such a flaw in Carousel Slider, enabling Stored XSS attacks with the potential to create JavaScript backdoors, imperiling website integrity (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Main info:
| CVE | CVE-2024-1712 |
| Plugin | Carousel Slider < 2.2.7 |
| Critical | High |
| All Time | 881 451 |
| Active installations | 40 000+ |
| Publicly Published | March 25, 2023 |
| Last Updated | March 25, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1712 https://wpscan.com/vulnerability/23805a61-9fcd-4744-a60d-05c8cb43ee01/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| February 07, 2023 | Plugin testing and vulnerability detection in the Carousel Slider plugin have been completed |
| February 07, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 25, 2024 | Registered CVE-2024-1712 |
Discovery of the Vulnerability
During routine plugin testing, security researchers unearthed a critical vulnerability in Carousel Slider. This flaw permits attackers to execute Stored XSS attacks by embedding malicious scripts via the plugin’s functionality, posing a severe threat to website security.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities in WordPress allow attackers to inject malicious scripts into a website’s database. When unsuspecting users access the compromised content, these scripts execute, potentially leading to the creation of JavaScript backdoors, data theft, or site defacement.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2024-1712, attackers craft a new slider within Carousel Slider and insert malicious code into the “Slides Per View” field. This enables the execution of arbitrary JavaScript, paving the way for the creation of backdoors and compromising website security.
POC:
You should create new slider and put (1212″asd=” onmouseover=’Malicious_Function_Here‘) to “Slides Per View” field
___
The ramifications of CVE-2024-1712 extend beyond mere XSS attacks. Malicious actors can exploit this vulnerability to create JavaScript backdoors, granting them unauthorized access to the website. In scenarios where attackers have previously compromised administrator or editor accounts, the risk of backdoor creation heightens, posing significant threats to website integrity.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-1712, website owners should promptly update Carousel Slider to the latest patched version. Additionally, implementing robust security measures such as regular security audits, access control restrictions, and the use of security plugins can bolster website defenses against XSS attacks and prevent the creation of JavaScript backdoors. Stay vigilant and prioritize website security to safeguard against potential threats.
Stay vigilant and proactive in safeguarding your WordPress site against emerging threats like CVE-2024-1712. Your website’s security is paramount, so take action now to prevent potential exploitation.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
