Master Slider is a widely used WordPress plugin that enables users to create responsive sliders for showcasing images, videos, and other content. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12173, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Slider custom styles” field within the plugin’s main settings. The injected script is then executed on the frontend when the slider is rendered, which can lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability presents a significant security risk for WordPress sites using Master Slider.
| CVE | CVE-2024-12173 |
| Plugin | Master Slider < 3.10.5 |
| Critical | High |
| All Time | 2 951 126 |
| Active installations | 100 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12173 https://wpscan.com/vulnerability/0f35be0e-0f63-4e33-aa4d-c47b1f1e0595/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 14, 2024 | Plugin testing and vulnerability detection in the Master Slider have been completed |
| January 14, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-12173 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of Master Slider. The issue lies in the “Slider custom styles” field, which allows users to add custom CSS styles for sliders. Unfortunately, the plugin does not properly sanitize or validate the input in this field, allowing users to inject malicious JavaScript. The malicious script is stored in the WordPress database when the settings are saved and is executed when the slider is viewed on the frontend. The vulnerability arises from inadequate input validation and sanitization in this setting, which can be exploited by users with minimal privileges, such as editors.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious JavaScript into a webpage, which is then executed by the browser of anyone who views the page. This type of attack is particularly dangerous because it can lead to session hijacking, credential theft, and unauthorized access to sensitive data. XSS vulnerabilities are common in WordPress plugins that allow user input without properly sanitizing it. A well-known example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject malicious scripts into form fields, enabling session hijacking. Similarly, CVE-2024-12173 exploits a similar flaw in Master Slider, where JavaScript can be injected into the “Slider custom styles” field, allowing attackers to execute arbitrary scripts.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12173, an attacker with editor-level privileges:
POC:
You should create a new Slider. Change "Slider custom styles" field in main settings to "Malicious JS code eval() and etc. For example </style><img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-12173 are severe. If successfully exploited, this vulnerability can give an attacker full control of a WordPress site. Once the attacker hijacks an admin’s session or escalates their privileges, they can modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could use this vulnerability to create a backdoor admin account, providing persistent access to the site even after the vulnerability is patched. This is particularly concerning for websites that handle sensitive information, such as e-commerce or membership sites, where exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Additionally, the attacker could use the backdoor to install further malicious code or compromise other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12173, administrators should immediately update the Master Slider plugin to the latest patched version once a fix is available. Administrators should also restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all user-provided content, especially in fields that affect frontend content, such as the “Slider custom styles” field. Using Content Security Policies (CSP) can help mitigate the impact of XSS attacks by blocking untrusted scripts from executing. Regular security audits, the use of security plugins, and periodic review of user roles and permissions are essential to detecting and preventing such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12173, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
