Carousel, Slider, Gallery by WP Carousel Vulnerability – Authenticated Stored Cross-Site Scripting – CVE-2024-2949 | WordPress Plugin Vulnerability Report

Plugin Name: Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-carousel-free
  • Software Status: Active
  • Software Author: shapedplugin
  • Software Downloads: 1,321,112
  • Active Installs: 60,000
  • Last Updated: April 15, 2024
  • Patched Versions: 2.6.4
  • Affected Versions: <= 2.6.3

Vulnerability Details:

  • Name: Carousel, Slider, Gallery by WP Carousel <= 2.6.3
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via 'sp_wp_carousel_shortcode'
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2949
  • CVSS Score: 6.4
  • Publicly Published: April 5, 2024
  • Researchers: Phuoc Pham (p3tl0v3r) - VNPT Cyber Immunity, Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The plugin is vulnerable to Stored Cross-Site Scripting via the carousel widget in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.


The Carousel, Slider, Gallery by WP Carousel plugin for WordPress has a vulnerability in versions up to and including 2.6.3 that exposes it to stored cross-site scripting issues. This vulnerability has been addressed and patched in version 2.6.4.

Detailed Overview:

The identified vulnerability pertains to the 'sp_wp_carousel_shortcode' function within the plugin, where user inputs were not adequately sanitized or escaped, leading to potential script injection. This issue could be exploited by any authenticated user with contributor-level privileges or higher, making it a significant risk for any site using an unpatched version of the plugin. The risks include unauthorized script execution which can lead to data theft, session hijacking, and defacement of the site.

Advice for Users:

  • Immediate Action: Users should update to the patched version 2.6.4 immediately to mitigate the risks associated with this vulnerability.
  • Check for Signs of Vulnerability: Administrators should review site logs and check for any unauthorized access or unusual activity, especially related to the 'sp_wp_carousel_shortcode' functionality.
  • Alternate Plugins: While the current vulnerability has been patched, users may consider exploring other carousel plugins as a precautionary measure, ensuring those alternatives are regularly updated and maintained.
  • Stay Updated: Continuously monitor and apply updates to all WordPress plugins and themes to protect against potential vulnerabilities.


The quick resolution with a patch in version 2.6.4 by WP Carousel's developers highlights the ongoing need for vigilance and prompt action in software maintenance. Users are encouraged to ensure their installations are updated to version 2.6.4 or later, reinforcing their site's defenses against potential exploits.


Detailed Report: 


In the ever-evolving world of digital technology, the security of your website hinges significantly on the promptness with which you apply updates to software components. A glaring example of the perils of oversight is the recent vulnerability discovered in the Carousel, Slider, Gallery by WP Carousel plugin—a tool utilized by thousands to enhance their WordPress sites with dynamic content displays. Identified as CVE-2024-2949, this security flaw exposes sites to stored cross-site scripting (XSS) attacks, potentially allowing malicious actors to inject harmful scripts that are executed when a user interacts with a compromised page. This vulnerability not only underscores the critical nature of regular software updates but also poses significant risks to user data and site integrity. If you're concerned about safeguarding your online presence, understanding this vulnerability, its implications, and the available remedies can significantly enhance your site's defenses against potential cyber threats.

Vulnerability Overview

The plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the ‘sp_wp_carousel_shortcode’ in all versions up to and including 2.6.3. This vulnerability, catalogued under CVE-2024-2949 with a CVSS score of 6.4, was publicly disclosed on April 5, 2024, by researchers Phuoc Pham and Ngô Thiên An from VNPT Cyber Immunity. It arises due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts.

Risks and Potential Impacts

If exploited, this vulnerability can allow attackers to execute scripts in the user’s browser, potentially leading to unauthorized access to sensitive information, session hijacking, and defacement of the affected site. The wide functionalities impacted by this vulnerability make it a significant risk, especially for business websites that handle sensitive user data.

Remediation Steps

  • Immediate Action: Update to the patched version 2.6.4 immediately via your WordPress dashboard.
  • Check for Signs of Vulnerability: Monitor your website logs for any unusual activity or unauthorized changes to website content.
  • Consult a Professional: If you suspect that your website has been compromised, it may be prudent to consult with a cybersecurity expert to conduct a thorough review and cleanup.

Previous Vulnerabilities

This is not the first vulnerability reported in this plugin; a previous issue was documented in December 2022, highlighting the need for ongoing vigilance and regular updates.


The prompt release of a patch for this vulnerability by WP Carousel’s developers in version 2.6.4 highlights the ongoing necessity of keeping all software components up to date to protect against exploits. For small business owners, managing a WordPress website doesn’t just involve content updates and marketing but also ensuring that all plugins are regularly reviewed and updated. Staying proactive in your website’s security measures is crucial—it protects not only your business operations but also your customers’ trust.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Carousel, Slider, Gallery by WP Carousel Vulnerability – Authenticated Stored Cross-Site Scripting – CVE-2024-2949 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment