The Slider by 10Web plugin is a widely used WordPress tool designed to create visually engaging image sliders. With over 30,000 active installations, this plugin provides an easy way for users to display images, video, and content in a slideshow format. While the plugin offers many beneficial features, a critical vulnerability, CVE-2024-10565, has been discovered that allows attackers to exploit stored Cross-Site Scripting (XSS) within the plugin’s settings. This vulnerability enables attackers to inject malicious JavaScript into a website, which could result in a backdoor creation, allowing unauthorized access to the site’s admin functions.
CVE | CVE-2024-10565 |
Plugin | Slider by 10Web < 1.2.62 |
Critical | High |
All Time | 2 328 796 |
Active installations | 30 000+ |
Publicly Published | March 11, 2025 |
Last Updated | March 11, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10565 https://wpscan.com/vulnerability/4ef05302-a6ca-4816-ab0d-a4e3bf7a5e22/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
October 7, 2024 | Plugin testing and vulnerability detection in the Slider by 10Web have been completed |
October 7, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
March 11, 2025 | Registered CVE-2024-10565 |
Discovery of the Vulnerability
The vulnerability in the Slider by 10Web plugin was discovered during testing and involves the “Title” field in the slider settings. Specifically, the plugin does not properly sanitize user input in this field, allowing users to inject JavaScript code. This is a classic example of stored XSS, where the malicious payload is saved in the plugin settings and executed when the slider is rendered. This flaw enables a user with editor privileges (or any role with sufficient access) to execute arbitrary JavaScript in the browser of an admin user who views the page. This can allow attackers to escalate their privileges and potentially take over the website.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are a common security issue in web applications, including WordPress plugins. An XSS attack occurs when an attacker injects malicious scripts into web pages, which are then executed in the browser of any user who accesses those pages. In WordPress, these vulnerabilities often arise in plugins that accept and display user input without proper sanitization. In real-world examples, vulnerabilities like XSS have been exploited to steal session cookies, hijack admin accounts, or execute malicious scripts. For example, the 2019 vulnerability in the WPBakery Page Builder plugin allowed attackers to inject XSS and hijack admin accounts. CVE-2024-10565 operates similarly, allowing for privilege escalation through stored malicious scripts.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10565, an attacker with editor+ privileges:
POC:
Create a new Slider by 10WEB widget. You should change "Title" field to "Malicious JS code eval() and etc. For example 123"onmouseover=alert(11251)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
The risks associated with CVE-2024-10565 are significant, as they could allow attackers to escalate their privileges and gain full administrative access to the WordPress site. Once an attacker has gained admin access, they could perform actions such as installing backdoors, altering website content, stealing sensitive information, or even executing further attacks on users. For instance, an attacker could use the XSS vulnerability to inject malicious scripts that steal session cookies, granting them unauthorized access to the WordPress admin dashboard. This could also lead to defacing the website, deleting content, or redirecting users to malicious sites. For e-commerce websites, membership portals, or any platform with sensitive user data, the potential consequences of this vulnerability are severe.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-10565, users of the Slider by 10Web plugin should update to the latest patched version as soon as possible. Developers should ensure that all user inputs, especially those in fields like the “Title” field, are properly sanitized and validated. This can be achieved by using WordPress functions such as esc_html()
or wp_kses()
, which strip out harmful HTML and JavaScript from user input. Additionally, WordPress administrators should restrict access to sensitive plugin settings, ensuring that only trusted roles, such as admins, have the ability to modify slider settings. Finally, enabling a Web Application Firewall (WAF) and performing regular security audits can help detect and prevent potential exploitation of vulnerabilities like CVE-2024-10565. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10565, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.