In the digital landscape, vulnerabilities in software can lead to significant security risks. One such vulnerability, CVE-2024-3703, has been discovered in the Carousel Slider plugin for WordPress. This particular vulnerability, categorized as a Stored XSS (Cross-Site Scripting), can enable malicious actors to execute arbitrary code on behalf of contributors, potentially leading to account takeover and other malicious activities. This article delves into the discovery, exploitation, potential risks, and recommendations associated with this vulnerability. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back)

Main info:

PluginCarousel Slider < 2.2.10
All Time894,599
Active installations40 000+
Publicly PublishedApril 12, 2024
Last UpdatedApril 12, 2024
ResearcherArtyom Krugov
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Plugin Security Certification by CleanTalk


April 8, 2024Plugin testing and vulnerability detection in the Carousel Slider plugin have been completed
April 8, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 12, 2024Registered CVE-2024-3703

Discovery of the Vulnerability

During the testing phase of the Carousel Slider plugin, security researchers identified a vulnerability that allows for the implementation of Stored XSS. This vulnerability occurs when an attacker embeds malicious script into certain parameters within the plugin’s interface. By exploiting this vulnerability, attackers can execute unauthorized actions on the WordPress site, posing a serious threat to its security and integrity.

Understanding of Stored XSS attack’s

Stored XSS, or Persistent XSS, is a type of Cross-Site Scripting attack where the malicious script is injected into the web application’s database or another data store. When the vulnerable page is accessed by a user, the script executes in the user’s browser, often leading to unauthorized actions or data theft.

Exploiting the Stored XSS Vulnerability

To exploit the Stored XSS vulnerability in the Carousel Slider plugin, attackers can follow a series of steps within the plugin’s interface. By manipulating specific parameters, such as the slider padding settings, attackers can inject malicious payloads that will execute when other users interact with the affected slider. This allows attackers to execute arbitrary code in the context of the victim’s session, potentially leading to account takeover or other malicious activities


  1. Click Add New
  2. Any name and select Hero Carousel
  3. Vulnerable Slider Padding parameters
  4. Requests are intercepted in these parameters through the Burp Suite tool
  5. Enter Shortcode with id from Editor.

Enter the payload into the parameters: content_settings[slide_padding][top]=”onmouseover=’alert(1)’


The exploitation of CVE-2024-3703 poses significant risks to WordPress sites using the Carousel Slider plugin. With the ability to execute arbitrary code in the context of contributor accounts, attackers can perform various malicious actions


To mitigate the risks associated with CVE-2024-3703 and similar vulnerabilities, WordPress site administrators and developers should take the following measures:

  • Update the Carousel Slider plugin to the latest patched version to mitigate the vulnerability.
  • Regularly monitor and audit plugins and themes for security vulnerabilities.
  • Implement proper input validation and output sanitization techniques to prevent XSS attacks.
  • Educate contributors and users about the risks of XSS vulnerabilities and the importance of secure coding practices.
  • Employ security plugins and web application firewalls to detect and block malicious activities.

Stay vigilant and proactive in safeguarding your WordPress site against emerging threats like CVE-2024-3703. Your website’s security is paramount, so take action now to prevent potential exploitation.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-3703 – Carousel Slider – Editor+ Stored XSS – POC

Leave a Reply

Your email address will not be published. Required fields are marked *