The Logo Slider plugin for WordPress, a popular tool for displaying logos and brand images on websites, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10473. This vulnerability allows attackers with contributor-level access to inject malicious JavaScript into the “Brand Name” field of a new logo slider. The injected code can then be executed when the slider is rendered on the front-end of the site, potentially leading to the creation of an admin account and complete site compromise. With over 30,000 active installations, this flaw poses a significant security risk to WordPress sites using the Logo Slider plugin.
| CVE | CVE-2024-10473 |
| Plugin | Logo Slider < 4.5.0 |
| Critical | High |
| All Time | 351 124 |
| Active installations | 30 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10473 https://wpscan.com/vulnerability/7512cbdf-cf27-4a1f-bac8-9fcb14bf463e/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 28, 2024 | Plugin testing and vulnerability detection in the Logo Slider Free have been completed |
| October 28, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10473 |
Discovery of the Vulnerability
During a security review of the Logo Slider plugin, it was discovered that the plugin fails to properly sanitize user input in the “Brand Name” field. This oversight enables attackers with contributor-level access to inject JavaScript code into this field, which is then stored and executed when the logo slider is rendered on the website. The ability for contributors to exploit this vulnerability is particularly concerning, as it allows them to bypass restrictions typically placed on user roles with limited access, enabling them to escalate their privileges and potentially create an admin account through the execution of malicious scripts.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common vulnerability in web applications that allows attackers to inject malicious scripts into webpages viewed by other users. In WordPress, XSS vulnerabilities are often found in plugins and themes that allow users to input dynamic content, such as form fields, comments, or widget settings. If these inputs are not properly sanitized, malicious scripts can be injected, leading to a range of attacks, including session hijacking, data theft, or privilege escalation. A real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject scripts into form fields to steal cookies or perform other unauthorized actions. Similarly, CVE-2024-10473 exploits improper input sanitization in the Logo Slider plugin, allowing contributors to inject harmful scripts into the “Brand Name” field.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10473, an attacker with contributor-level access can create a new logo slider and modify the “Brand Name” field to contain a malicious payload
POC:
Create a new Logo Slider. Change "Brand Name" field to 123" onmouseover=alert(1)// -> Set any image you want -> Publish -> Copy shortcode of new slider and paste it inside new post. -> reload page and hover on this block____
The risks associated with CVE-2024-10473 are significant. If exploited, this vulnerability could allow an attacker to steal sensitive information, gain unauthorized access to user accounts, and potentially escalate their privileges to admin-level access. In a real-world scenario, an attacker could create a backdoor admin account, giving them complete control over the WordPress site. The attacker could then modify the site’s content, steal user data, install malicious plugins, or perform other unauthorized actions. This type of vulnerability is particularly dangerous for sites handling sensitive information, such as e-commerce sites or membership platforms, as it could result in severe data breaches, financial loss, and damage to the site’s reputation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10473, it is essential for WordPress administrators to update the Logo Slider plugin to the latest version as soon as a patch is released. Administrators should also restrict contributor-level users from accessing sensitive settings like the “Brand Name” field in the logo slider. Sanitizing all user inputs, especially in dynamic content fields such as titles and captions, is crucial to prevent XSS attacks. It is also advisable to limit the unfiltered_html capability for non-admin users to prevent them from injecting JavaScript into WordPress posts or plugin settings. Implementing a Content Security Policy (CSP) and conducting regular security audits can help detect and block XSS vulnerabilities before they can be exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10473, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
