The Slider by 10Web plugin is a popular WordPress plugin used for creating responsive image sliders, enhancing the visual appeal of websites. With over 30,000 active installations, this plugin has been widely adopted for its ease of use and feature-rich offerings, including the ability to add watermarks, customize image transitions, and manage slider content. However, a critical vulnerability, CVE-2024-10566, has been discovered within the plugin that allows attackers to execute Stored Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by contributors (and other users with lower privileges), enabling them to escalate their permissions and create an admin account by embedding malicious scripts in the plugin’s settings.
CVE | CVE-2024-10566 |
Plugin | Slider by 10Web < 1.2.62 |
Critical | High |
All Time | 2 328 796 |
Active installations | 30 000+ |
Publicly Published | March 21, 2025 |
Last Updated | March 21, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10566 https://wpscan.com/vulnerability/a98a7f11-4c01-4b91-8adc-465beefa310a/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
October 3, 2024 | Plugin testing and vulnerability detection in the Slider by 10Web – Responsive Image Slider have been completed |
October 3, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
March 21, 2025 | Registered CVE-2024-10566 |
Discovery of the Vulnerability
The vulnerability was discovered in the “Watermark text” field within the plugin’s settings. This field allows users to apply a watermark to images displayed within the slider. The issue arises because the plugin does not properly sanitize or validate the input provided in the “Watermark text” field, which can be manipulated to include JavaScript code. As a result, an attacker with contributor-level access or higher can insert malicious code into the field, which is then stored and executed whenever the slider is viewed by an administrator. This stored XSS vulnerability could potentially allow an attacker to escalate their privileges and take control of the WordPress site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities in web applications, particularly in content management systems like WordPress. It occurs when an attacker is able to inject malicious JavaScript code into a website, which is then executed in the browser of any user who views the affected content. In WordPress, XSS vulnerabilities can result in severe consequences, such as session hijacking, account takeover, data theft, and unauthorized administrative actions. Real-world examples of XSS attacks in WordPress plugins have led to large-scale security breaches. For example, vulnerabilities in the WPForms plugin allowed attackers to inject scripts into form fields, enabling them to compromise user accounts. Similarly, CVE-2024-10566 can be exploited in a comparable manner, where attackers gain administrative control through the injected script.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10566, an attacker with contributor+ privileges:
POC:
1) You should create a new Slider 2) Add here one random image 3) In settings change "Watermark text" in Watermark section to <img src=x onerror=alert(1)>
____
The risks associated with CVE-2024-10566 are substantial. An attacker who successfully exploits this vulnerability can escalate from a low-privileged contributor role to an administrator. Once granted admin privileges, the attacker can gain full control over the website, including installing malware, stealing sensitive data, deleting content, or redirecting visitors to malicious sites. For instance, an attacker could use this privilege escalation to access sensitive user data, manipulate the site’s content, or compromise the entire WordPress installation. This is particularly dangerous for websites that handle sensitive information, such as e-commerce platforms, membership sites, or any platform relying on the security of user data.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10566, users of the Slider by 10Web plugin should immediately update to the latest patched version of the plugin. Developers should implement proper input validation and sanitization in the “Watermark text” field and similar user input fields to ensure that no JavaScript or other malicious code can be injected. Using WordPress functions like esc_html()
and wp_kses()
can help prevent harmful code from being executed. Furthermore, site administrators should limit the ability to modify slider settings to trusted roles and regularly audit all plugins for vulnerabilities. Employing a Web Application Firewall (WAF) and running routine security scans will also help to detect and prevent such XSS vulnerabilities from being exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10566, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.