Carousel, Slider, Gallery by WP Carousel is a popular WordPress plugin that enables website owners to create interactive carousels, sliders, and galleries. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in this plugin, identified as CVE-2024-4002. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which can then be executed when the carousel is rendered. The malicious script can create a backdoor, enabling attackers to take over admin accounts or perform other malicious actions. With over 50,000 active installations, this flaw presents a significant risk to websites using WP Carousel.
| CVE | CVE-2024-4002 |
| Plugin | Carousel, Slider, Gallery by WP Carousel < 2.6.9 |
| Critical | High |
| All Time | 1 667 351 |
| Active installations | 50 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4002 https://wpscan.com/vulnerability/298b51ec-afad-4bc1-968d-76c59e55fc05/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| April 4, 2024 | Plugin testing and vulnerability detection in the WP Carousel have been completed |
| April 4, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-4002 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the Carousel, Slider, Gallery plugin. The issue lies in the “carousel_auto_play_speed” field when creating or configuring a new carousel. This field fails to properly sanitize user input, which allows attackers to inject malicious JavaScript. When the settings are saved, the injected script is stored in the WordPress database. Once the carousel is rendered on the frontend, the script is executed, which could lead to session hijacking or the creation of a backdoor admin account. The vulnerability stems from inadequate input validation and sanitization in this field, allowing contributors to inject scripts that can later be triggered when the carousel is displayed.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker injects malicious scripts into web pages that are later executed by browsers visiting those pages. This can result in a range of harmful outcomes, including session hijacking, credential theft, and privilege escalation. XSS is a common vulnerability in WordPress plugins, especially those that allow user-generated content or dynamic configuration settings. A real-world example of an XSS vulnerability in WordPress was found in the WPForms plugin, where attackers could inject JavaScript into form fields, leading to session hijacking. Similarly, CVE-2024-4002 exploits improper sanitization in the WP Carousel plugin, allowing contributors to inject JavaScript into carousel settings.
Exploiting the XSS Vulnerability
To exploit CVE-2024-4002, an attacker with editor-level privileges:
POC:
You should go to creation of new Carousel. Change "5Bcarousel_auto_play_speed" field to (23='onmouseover=alert(1)//) -> Save Settings____
The risks associated with CVE-2024-4002 are severe. If successfully exploited, this vulnerability could allow an attacker to hijack an admin’s session, gaining full control over the WordPress site. Once the attacker gains admin access, they can modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could escalate their privileges by creating a backdoor admin account, allowing them to maintain control over the site even after the vulnerability is patched. For websites that handle sensitive data, such as e-commerce or membership sites, the exploitation of this vulnerability could lead to significant data breaches, financial losses, and reputational damage. Additionally, the attacker could use the backdoor to install further malicious code or compromise other systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-4002, administrators should immediately update the Carousel, Slider, Gallery by WP Carousel plugin to the latest patched version once a fix is available. It is crucial to ensure that all user inputs, especially in configuration fields such as “carousel_auto_play_speed,” are properly sanitized and validated. Disabling the unfiltered_html capability for non-admin users, especially contributors, can prevent them from injecting JavaScript into plugin settings. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block XSS vulnerabilities. Additionally, limiting user permissions and reviewing user roles periodically can further reduce the risk of privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4002, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
