CVE-2024-8283 exposes a serious vulnerability in the Slider by 10Web plugin, a widely used WordPress plugin with over 30,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers, particularly users with contributor-level access, to inject malicious JavaScript (JS) code through the plugin’s slider settings. When exploited, this vulnerability enables attackers to take over admin accounts and create backdoors, allowing them to maintain long-term access to the site.
| CVE | CVE-2024-8283 |
| Plugin | Slider by 10Web < 1.2.59 |
| Critical | High |
| All Time | 1 154 382 |
| Active installations | 30 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8283 https://wpscan.com/vulnerability/a60aed55-c0a2-4912-8844-cdddf31d90b6/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| August 27, 2024 | Plugin testing and vulnerability detection in the Slider by 10Web have been completed |
| August 27, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8283 |
Discovery of the Vulnerability
The vulnerability was uncovered during security testing of the Slider by 10Web plugin. The flaw lies in the “link the slide to” field in the slide options. This field allows an attacker to inject JavaScript without proper sanitization, making it a prime target for XSS attacks. The vulnerability allows users with contributor-level access to embed malicious scripts into a slider, which executes when an admin interacts with the post containing the slider.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when user-supplied input is not properly sanitized, allowing attackers to inject malicious scripts that are then executed in the browser of other users. Stored XSS, like in CVE-2024-8283, is particularly dangerous because the malicious script is stored in the WordPress database and triggered whenever a certain action (such as viewing a post) occurs.
In the case of Slider by 10Web, the vulnerability is present in the slider’s “link the slide to” option, which allows attackers to insert harmful scripts that can hijack user sessions, steal credentials, or escalate privileges. Real-world examples of XSS in WordPress often involve attackers embedding malicious scripts into forms, plugin settings, or post metadata, resulting in compromised accounts, data theft, or defacement of the website.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8283, an attacker with contributor-level access creates a new slider and uploads a random image. The attacker then injects a malicious JavaScript payload into the “link the slide to” field within the slide options, such as:
POC:
1) You should create a new Slider 2) Add here one random image 3) Change "link the slide to" filed in Slide options to -> http://127.0.0.1/wordpress/wp-admin/123','_blank');alert(1);wds_slide_redirect_link(event,'123 4) Create a new post and put here shortcode of new Slider. Go to this post and click to slider____
The risks associated with CVE-2024-8283 are severe. If exploited, this vulnerability could allow attackers to hijack admin accounts, create persistent backdoors, and gain full control over the WordPress site. In real-world scenarios, attackers could use this vulnerability to insert malware, redirect users to phishing sites, or steal sensitive customer data from e-commerce websites.
For example, an attacker could compromise an admin account, steal credentials, or install a hidden backdoor to maintain access even after the initial exploit is patched. This could lead to widespread damage, including loss of trust, financial loss, and reputational harm for site owners.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2024-8283, it is essential that WordPress site administrators update the Slider by 10Web plugin as soon as a patch is released. Developers of the plugin must implement robust input sanitization, particularly in fields like “link the slide to,” to prevent XSS attacks.
Administrators should also review user roles and permissions, particularly for contributors, and restrict their ability to insert unfiltered HTML or JavaScript. Installing a security plugin that monitors for XSS attempts and blocks malicious scripts can provide additional protection. Regular audits of plugin settings and WordPress configurations can help identify vulnerabilities before they are exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8283, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
