The WordPress ecosystem offers a vast array of plugins to enhance website functionality, but it also opens the door to potential security vulnerabilities. One such vulnerability, identified as CVE-2024-6850, has been discovered in the “Carousel Slider” plugin, which is widely used for creating customizable, responsive carousel sliders. This vulnerability allows attackers to execute stored cross-site scripting (XSS) attacks, which could lead to the creation of malicious administrator accounts and full site compromise.

CVECVE-2024-3901
PluginCarousel Slider < 2.2.14
CriticalMedium
All Time975 356
Active installations40 000+
Publicly PublishedJune 20, 2024
Last UpdatedJune 20, 2024
ResearcherArtyom Krugov
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6850/
https://wpscan.com/vulnerability/c06995cb-1685-4751-811f-aead52a597a7/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 20, 2024Plugin testing and vulnerability detection in the Carousel Slider have been completed
June 20, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 28, 2024Registered CVE-2024-6850

Discovery of the Vulnerability

During a routine security audit of the “Carousel Slider” plugin, researchers uncovered a serious flaw in the way user input is handled in certain fields. The vulnerability was specifically found in the Hero Carousel feature, where the input fields for “Spacing/Gutter” and “Description of Spacing/Gutter” failed to properly sanitize user input. This oversight allows attackers to inject malicious scripts that can execute when an unsuspecting administrator views the affected page.

Understanding of Stored XSS attack’s

Stored XSS attacks are particularly dangerous within WordPress because they allow attackers to inject malicious scripts into web pages viewed by other users. These scripts can steal cookies, hijack sessions, or redirect victims to malicious websites. This type of vulnerability is notorious within web applications and has been exploited in numerous plugins, underscoring the need for rigorous input sanitization.

Exploiting the Stored XSS Vulnerability

To exploit CVE-2024-6850, follow these steps:

POC:

  1. Navigate to the Carousel Slider panel within the WordPress admin dashboard.
  2. Add a new Hero Carousel by clicking on the “Add Hero Carousel” button.
  3. Click the “Add Slide” button to create a new slide within the carousel.
  4. Switch to the “Slide Style” tab and locate the “Spacing/Gutter” and “Description of Spacing/Gutter” fields.
  5. Insert the following payload into these fields: 7777"onmouseover='alert(123)’.Set the Content Animation option to “Fade in Down” for the slide.Save the vulnerable slider using the provided shortcode.

____

Once these steps are completed, the malicious script will be executed whenever an administrator interacts with the slider, potentially leading to account hijacking or the creation of backdoor access

Recommendations for Improved Security

To mitigate this vulnerability, users are urged to update the Genesis Blocks plugin immediately upon release of a fix. Additionally, site administrators should regularly audit their plugins and themes for updates and potential vulnerabilities, employ robust input validation, and consider using web application firewalls (WAFs) to detect and block malicious input.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6850, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-6850 – Carousel Slider – Stored XSS to Admin Account Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *