Prime Slider – Addons For Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Pacific Widget – CVE-2024-5640 | WordPress Plugin Vulnerability Report

Plugin Name: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)

Key Information:

  • Software Type: Plugin
  • Software Slug: bdthemes-prime-slider-lite
  • Software Status: Active
  • Software Author: bdthemes
  • Software Downloads: 2,491,843
  • Active Installs: 100,000
  • Last Updated: June 20, 2024
  • Patched Versions: 3.14.8
  • Affected Versions: <= 3.14.7

Vulnerability Details:

  • Name: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.14.7
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Pacific Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-5640
  • CVSS Score: 6.4
  • Publicly Published: June 6, 2024
  • Researcher: wesley
  • Description: The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the ‘id’ attribute within the Pacific widget in versions up to and including 3.14.7. This vulnerability allows authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts. These scripts execute when a user accesses an affected page, potentially leading to unauthorized actions or data theft.
  • References: Wordfence Advisory

Summary:

The Prime Slider – Addons For Elementor plugin for WordPress has a vulnerability in versions up to and including 3.14.7 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the Pacific widget. This vulnerability has been patched in version 3.14.8.

Detailed Overview:

The vulnerability arises due to inadequate input sanitization and output escaping in the Pacific widget of the plugin. This oversight enables attackers to embed malicious scripts, which are executed when unsuspecting users visit compromised pages. The risk includes potential manipulation of site content, phishing attacks, and unauthorized data access.

Advice for Users:

Immediate Action: Update the Prime Slider – Addons For Elementor plugin to version 3.14.8 immediately to mitigate the risk of exploitation.

Check for Signs of Vulnerability: Monitor website logs and pages for any unexpected or injected scripts that may indicate compromise.

Alternate Plugins: Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar functionality.

Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and ensure site security.

Conclusion:

The swift release of version 3.14.8 by the plugin developers underscores the critical importance of timely updates in safeguarding WordPress sites. Users are strongly advised to ensure they are running version 3.14.8 or newer to protect their WordPress installations from potential exploits.

References:

Detailed Report: 

In today’s digital landscape, the security of your WordPress website is paramount. As cyber threats evolve, vulnerabilities in plugins like Prime Slider – Addons For Elementor underscore the critical need for vigilance. This plugin, developed by bdthemes and boasting 2,491,843 downloads with 100,000 active installs, recently fell prey to a significant security flaw, CVE-2024-5640. This vulnerability, present in versions up to and including 3.14.7, enables authenticated attackers with Contributor-level access and above to inject malicious scripts via the Pacific widget.

Vulnerability Details:

The flaw arises from inadequate input sanitization and output escaping within the Pacific widget. This oversight allows attackers to embed arbitrary web scripts, which execute when users access compromised pages. The impact includes potential manipulation of site content, phishing attempts, and unauthorized data access.

Immediate Action:

To mitigate this risk, it is imperative to update Prime Slider – Addons For Elementor to version 3.14.8 immediately. This update patches the vulnerability, thereby safeguarding your site against exploitation.

Advice for Users:

Beyond immediate updates, monitor website logs and pages for any signs of injected scripts that may indicate compromise. Consider disabling the plugin temporarily until the update is applied or explore alternative plugins offering similar functionalities. Regularly updating all WordPress plugins to their latest versions is crucial for ongoing site security.

Previous Vulnerabilities:

This isn't the first instance of vulnerability for Prime Slider – Addons For Elementor. Since March 4, 2022, there have been 12 prior vulnerabilities reported, highlighting the plugin's susceptibility to security issues.

Staying on top of plugin updates and security advisories is vital for any small business owner managing their WordPress website. While the task may seem daunting amidst other responsibilities, prioritizing security measures can significantly reduce the risk of exploitation and protect your online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Prime Slider – Addons For Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Pacific Widget – CVE-2024-5640 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment