Prime Slider Vulnerability – Authenticated Stored Cross-Site Scripting via Rubix Widget – CVE-2024-1507 | WordPress Plugin Vulnerability Report –
Plugin Name: Prime Slider – Addons For Elementor
Key Information:
- Software Type: Plugin
- Software Slug: bdthemes-prime-slider-lite
- Software Status: Active
- Software Author: bdthemes
- Software Downloads: 2,042,074
- Active Installs: 100,000
- Last Updated: March 13, 2024
- Patched Versions: 3.13.3
- Affected Versions: <= 3.13.2
Vulnerability Details:
- Name: Prime Slider – Addons For Elementor <= 3.13.2
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Rubix Widget
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1507
- CVSS Score: 6.4
- Publicly Published: March 12, 2024
- Researcher: Nikolas - mdr
- Description: The Prime Slider – Addons For Elementor plugin is susceptible to Stored Cross-Site Scripting attacks through the 'title_tags' attribute in the Rubix widget up to version 3.13.2, due to insufficient input sanitization and output escaping. This flaw allows authenticated users with contributor status or higher to embed arbitrary scripts, which are then executed when others access the compromised pages.
Summary:
The popular WordPress plugin, Prime Slider, designed to enhance Elementor with advanced slider functionalities, has encountered a critical security flaw in versions up to 3.13.2. This vulnerability, designated as CVE-2024-1507, allows for Authenticated Stored Cross-Site Scripting (XSS) attacks via the plugin's Rubix widget, posing a considerable risk to website security and user data privacy. Fortunately, this issue has been rectified in the latest update, version 3.13.3.
Detailed Overview:
Discovered by the cybersecurity researcher Nikolas - mdr, this vulnerability highlights the importance of rigorous input sanitization and output encoding practices in web development. The potential for authenticated users to exploit this vulnerability underscores the need for robust security measures and vigilant user role management on WordPress sites.
Advice for Users:
- Immediate Action: Users should promptly update the Prime Slider plugin to the patched version 3.13.3 via the WordPress dashboard to safeguard against this vulnerability.
- Check for Signs of Vulnerability: Regular site audits for unexpected content alterations or functionalities are recommended to detect possible exploitation signs.
- Alternate Plugins: While the patched version addresses this specific vulnerability, exploring alternative slider plugins might offer additional security features or better suit user needs.
- Stay Updated: Consistently updating all WordPress elements, including themes, plugins, and the core, is vital for security and site performance.
Conclusion:
The resolution of CVE-2024-1507 in the Prime Slider plugin serves as a crucial reminder of the ongoing need for cybersecurity diligence in the WordPress community. For website administrators, particularly those managing sites for small businesses, recognizing the importance of timely software updates is paramount. Implementing proactive security measures, such as regular updates and user access control, is key to maintaining a secure online environment.
References:
- Wordfence Vulnerability Report on Prime Slider
- Additional Information on Prime Slider Vulnerabilities