The Social Slider Feed plugin for WordPress is used to display social media feeds, such as YouTube videos, Instagram posts, and Twitter feeds, directly on websites. It allows users to create widgets that can be customized with various settings, including titles and content descriptions. However, a critical vulnerability, CVE-2024-10149, has been discovered in this plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers with editor-level access to inject malicious JavaScript code into the widget settings, which is later executed when the widget is viewed on the frontend. This vulnerability could lead to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this issue represents a significant security risk to WordPress sites using the Social Slider Feed plugin.
| CVE | CVE-2024-10149 |
| Plugin | Social Slider Feed < 2.2.9 |
| Critical | High |
| All Time | 2 675 444 |
| Active installations | 50 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10149/ https://wpscan.com/vulnerability/1619dc4b-4e5e-4b82-820b-3c4e732db3ad/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 27, 2024 | Plugin testing and vulnerability detection in the Social Slider Feed have been completed |
| September 27, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-10149 |
Discovery of the Vulnerability
The vulnerability was identified during a security audit of the Social Slider Feed plugin. The issue stems from improper input validation in the “Title” field of the widget settings for the “Social Slider Feed (YouTube)” widget. This field is intended to allow users to customize the title of the widget. However, the plugin does not adequately sanitize or escape user input in this field, allowing malicious JavaScript to be injected. For example, an attacker can inject a payload. Once this payload is saved, it is stored in the WordPress database and executed when the widget is displayed on the frontend. This flaw arises from the lack of input sanitization in the widget’s settings page.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities in web applications. It occurs when an attacker injects malicious JavaScript into a website, which is then executed in the browsers of users who view the page. XSS vulnerabilities can lead to session hijacking, account takeover, and the execution of malicious actions on behalf of the victim. WordPress plugins are often susceptible to XSS vulnerabilities, particularly those that allow user-generated content or settings input without proper sanitization. A well-known example of XSS in WordPress occurred in the Contact Form 7 plugin, where attackers could inject JavaScript into form fields. Similarly, CVE-2024-10149 in the Social Slider Feed plugin allows an attacker to inject JavaScript into the “Title” field, which is later executed when the widget is rendered on the frontend.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10149, an attacker with editor-level privileges:
POC:
Create a new Widget "Social Slider Feed (Youtube)".You should change "Title" field in settings of a new Giveaway to "Malicious JS code eval() and etc. -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-10149 are significant. If successfully exploited, an attacker could hijack the session of an administrator or any user with elevated privileges, granting the attacker full control over the WordPress site. Once the attacker gains admin access, they could modify site content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could use this vulnerability to escalate their privileges and create a backdoor admin account, providing persistent access to the site even after the vulnerability is patched. This is particularly concerning for websites that handle sensitive user information, such as e-commerce sites or membership platforms, where the exposure of user data could lead to data breaches, financial losses, and reputational damage.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10149, administrators should immediately update the Social Slider Feed plugin to the latest patched version once a fix is released. In addition to updating the plugin, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all user input fields, especially those that affect frontend content, such as the “Title” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10149, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
