WordPress plugins significantly enhance the functionality and versatility of websites. However, their widespread use also makes them a common target for security vulnerabilities. One such recent discovery is CVE-2024-6026 in the Slider by 10Web plugin, which affects over 20,000 installations. This vulnerability allows attackers to execute Stored Cross-Site Scripting (XSS) attacks, leading to severe consequences, including unauthorized admin account creation.

PluginSlider by 10Web < 1.2.56
All Time2 255 607
Active installations20 000+
Publicly PublishedJune 27, 2024
Last UpdatedJune 27, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6026
Plugin Security Certification by CleanTalk
Logo of the plugin


June 13, 2024Plugin testing and vulnerability detection in the Slider by 10Web have been completed
June 13, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 27, 2024Registered CVE-2024-6026

Discovery of the Vulnerability

During a routine security assessment of the Slider by 10Web plugin, a critical vulnerability was identified. This flaw allows a contributor to embed malicious JavaScript code into a new post. The embedded code can execute actions that result in the creation of an admin account, thereby giving the attacker full control over the website. This discovery highlights the importance of continuous security testing and vigilance in maintaining plugin security.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a common vulnerability found in web applications, including WordPress plugins. XSS allows attackers to inject malicious scripts into web pages viewed by other users. When an unsuspecting user, typically with elevated privileges, interacts with the infected page, the malicious script executes in their browser. This can lead to a variety of malicious activities, such as session hijacking, data theft, and in severe cases, full account takeovers.

A notable example of XSS in WordPress involved the widely-used plugin Slider by 10Web. By manipulating specific fields within the plugin’s settings, attackers could inject harmful scripts that execute when the page is viewed, causing unintended and harmful actions on the website.

Exploiting the Stored XSS Vulnerability

To exploit this vulnerability, an attacker needs to follow these steps:


http://123.123″ style=”animation-duration:1s;animation-name:slidein;animation-iteration-count:2″ onwebkitanimationiteration=”alert(1)” -> to the “Link the slide to:” field in Slide Options @keyframes slidein {} -> to CSS in main Settings of new Slider


The potential risks associated with CVE-2024-6026 are severe. If exploited, this vulnerability could lead to:

  • Unauthorized admin account creation: Attackers can gain full control of the website.
  • Data breaches: Sensitive user information could be accessed and exfiltrated.
  • Website defacement: Malicious actors could alter the website’s content to distribute misinformation or malware.
  • Further exploitation: Compromised sites could be used to launch additional attacks on visitors or other websites.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-6026, the following security measures are recommended:

  • Update the Plugin: Ensure the Quiz and Survey Master plugin is updated to the latest version, where this vulnerability is patched.
  • Sanitize and Validate Inputs: Implement rigorous input sanitization and validation to prevent the injection of malicious scripts.
  • Use Security Plugins: Employ security plugins that offer XSS protection and regularly scan for vulnerabilities.
  • Restrict User Permissions: Limit the permissions of contributors and other non-admin users to minimize the risk of exploitation.
  • Regular Security Audits: Conduct regular security audits and penetration tests to identify and address vulnerabilities promptly.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6026, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-6026 – Slider by 10Web – Stored XSS to Admin Account Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *