You are currently viewing Popular Slider Plugin Vulnerable: Hackers Could Steal Data from WordPress Sites

Popular Slider Plugin Vulnerable: Hackers Could Steal Data from WordPress Sites

Security Alert: Two critical vulnerabilities found in Slider Revolution plugin threaten WordPress sites

A recent security audit has uncovered two significant vulnerabilities in Slider Revolution, a widely used premium plugin for WordPress boasting over 9 million active users. These vulnerabilities could compromise the security of WordPress websites, potentially allowing attackers to steal sensitive information and even gain full control of the site.

Understanding the Vulnerabilities:

  1. Unauthenticated Stored XSS (CVE-2024-34444):
    • This vulnerability stemmed from the plugin’s inadequate handling of user input for slider parameters. Attackers could exploit this flaw to inject malicious scripts into the website with a single HTTP request, even without a valid user account. These scripts could then steal sensitive data like login credentials, session cookies, or other confidential information from unsuspecting users visiting the website.
  2. Broken Access Control in REST API (CVE-2024-34443):
    • A flaw in the plugin’s REST API allowed unauthenticated users to update slider data. This, combined with the XSS vulnerability, could potentially allow attackers to achieve a more serious compromise, like gaining unauthorized access to the WordPress administration panel or even taking complete control of the website.

Patching and Best Practices:

The vulnerabilities have been addressed in recent updates of the Slider Revolution plugin:

  • Unauthenticated Broken Access Control (CVE-2024-34444): Patched in version 6.7.0.
  • Authenticated Stored XSS (CVE-2024-34443): Fully resolved in version 6.7.11 (the affected REST API endpoint was removed entirely, and proper input sanitization and output escaping were implemented).

Here are some additional recommendations for WordPress website owners:

  • Update Immediately: It’s crucial to update the Slider Revolution plugin to version 6.7.11 (or later) as soon as possible to mitigate these vulnerabilities.
  • Implement Escaping and Sanitization: Beyond patching, consider implementing thorough escaping and sanitization practices for all user input displayed on your website to prevent similar vulnerabilities in the future.
  • Review REST API Permissions: If your website uses the Slider Revolution REST API, ensure proper permission checks are in place to restrict sensitive actions and processes to authenticated users.

By taking these steps, WordPress website owners can significantly improve their website’s security posture and protect themselves from these critical vulnerabilities in the Slider Revolution plugin.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. Summitsystemsissp assumes no liability for the accuracy or consequences of using this information.