XSS Vulnerabilities Found in WordPress Plugin Slider Revolution
A recent security audit of the Slider Revolution plugin has uncovered two significant vulnerabilities that could compromise the security of WordPress websites.
Slider Revolution, a widely used premium plugin with over 9 million active users, was found to have an unauthenticated stored XSS vulnerability. This flaw could allow unauthorized users to steal sensitive information and escalate privileges on WordPress sites with a single HTTP request.
The vulnerability, discovered by security experts at Patchstack, stemmed from inadequate input sanitization and output escaping in the code handling user input for slider parameters.
Additionally, a broken access control issue in one of the plugin’s REST API endpoints enabled unauthenticated users to update slider data. By exploiting both vulnerabilities, researchers were able to achieve unauthenticated stored XSS.
The primary vulnerability, the unauthenticated broken access control (CVE-2024-34444), was addressed in version 6.7.0 of the plugin. The authenticated stored XSS issue (CVE-2024-34443) was fully resolved in version 6.7.11. The vendor removed the affected REST API endpoint entirely and applied proper sanitization and escaping to mitigate the XSS risk.
Beyond patching, the security audit also generally recommended users to apply thorough escaping and sanitization to stored user input displayed on websites.
“We also recommend applying a proper permission or authorization check to the registered rest route endpoints and not providing sensitive action or process to an unauthenticated user,” reads the advisory published by Patchstack earlier today.
Users are urged to update their Slider Revolution plugin to version 6.7.11 or higher to mitigate these security risks.
Read more on WordPress security: Four Million WordPress Sites Vulnerable to LiteSpeed Plugin Flaw
The advisory timeline published by Patchstack indicates that Slider Revolution approached auditors in May 2023, leading to the release of patch versions in April and May 2024. The vulnerabilities have now also been added to the Patchstack vulnerability database.