The Logo Slider plugin for WordPress, which enables users to display brand logos and images in a slider format, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10896. This flaw allows attackers with contributor-level access to inject malicious JavaScript into the plugin’s settings, which is then executed when the slider block is interacted with on the front-end. This vulnerability can lead to serious consequences, including the creation of an admin account and full site compromise. With over 30,000 active installations, the potential impact of this vulnerability is significant for WordPress sites using the Logo Slider plugin.
| CVE | CVE-2024-10896 |
| Plugin | Logo Slider < 4.5.0 |
| Critical | High |
| All Time | 351 124 |
| Active installations | 30 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10896 https://wpscan.com/vulnerability/1304c2b6-922d-455e-bae8-d6bf855eddd9/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 24, 2024 | Plugin testing and vulnerability detection in the Logo Slider Free have been completed |
| October 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10896 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Logo Slider plugin. It was found that the plugin fails to properly sanitize input in the “Logo Image Height” field. This oversight allows contributors to inject JavaScript into this field, which is stored and executed when the slider block is viewed in the frontend. The flaw arises because the plugin does not properly sanitize user inputs, allowing malicious scripts to be injected and stored in the WordPress database. Once the script is executed, the attacker can perform actions such as session hijacking, data theft, or privilege escalation, ultimately leading to an admin account being created.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common security issues in web applications, particularly in content management systems like WordPress. XSS occurs when an attacker injects malicious scripts into a website, which are then executed in the browser of anyone who views the affected content. This can lead to session hijacking, unauthorized actions on behalf of the user, and even privilege escalation. A real-world example of XSS in WordPress is the vulnerability found in the WPForms plugin, where attackers could inject malicious JavaScript into form fields, leading to the theft of session cookies and account takeover. Similarly, CVE-2024-10896 allows contributors to inject harmful JavaScript into the “Logo Image Height” field, exploiting improper input validation and resulting in malicious behavior on the site.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10473, an attacker with contributor-level access can create a new logo slider and modify it like this:
POC:
Create a new Logo Slider. Change "Logo Image Height" field to 123" onmouseover=alert(1)// -> reload page and hover on this block____
The risks associated with CVE-2024-10896 are severe. A successful attack can allow an attacker to hijack an administrator’s session, steal sensitive data, or even create an admin account for persistent access to the WordPress site. In a real-world scenario, an attacker could use the vulnerability to take over a website, change the content, install malicious plugins, or steal personal and financial data from users. This type of vulnerability is particularly dangerous for e-commerce sites, membership platforms, or any website handling sensitive data, as it could lead to a significant data breach, financial loss, and damage to the site’s reputation. Furthermore, the attack could serve as a gateway for further exploitation, compromising other parts of the WordPress installation or connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10896, it is crucial for administrators to update the Logo Slider plugin to the latest version once a patch is available. In addition, administrators should review user permissions and restrict access to sensitive plugin settings like the “Logo Image Height” field. Sanitizing all user inputs, particularly in settings fields, is essential to prevent malicious scripts from being injected and executed. It is also recommended to restrict the unfiltered_html capability for non-admin users and to use security plugins that scan for vulnerabilities. Implementing Content Security Policies (CSP) can also help prevent the execution of untrusted scripts, reducing the impact of any successful XSS attacks. Regularly auditing plugins for security vulnerabilities is an important practice to ensure the site remains secure. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10896, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
