Slider by 10Web < 1.2.56 – Editor+ Stored XSS | CVE 2024-6026 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders (by default Administrator, however this can be changed via the plugin's options) and the ability to add images (Editor+) to perform Stored Cross-Site Scripting attacks

Proof of Concept

1.) Add a new slide image
2.) Add the following payload in the "Link the slide to:" field in Slide Options:

http://123.123" style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onwebkitanimationiteration="alert(/XSS/)" 

3.) Add the following to CSS textbox in main settings of new slider:

@keyframes slidein {}

Affects Plugins

Fixed in 1.2.56

References

CVE

URL

https://research.cleantalk.org/cve-2024-6026/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

01609d84-e9eb-46a9-b2cc-fe7e0c982984

Timeline

Publicly Published

2024-06-20 (about 1 year ago)

Added

2024-06-20 (about 1 year ago)

Last Updated

2024-06-20 (about 1 year ago)

Other

Published

Title

Published

2025-11-18

Title

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor < 3.14.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-09-22

Title

Real Estate Manager <= 7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-26

Title

Simple Ajax Chat < 20240223 - Unauthenticated Stored Cross-Site Scripting

Published

2023-05-10

Title

Tiny carousel horizontal slider plus <= 3.2 - Admin+ Stored XSS

Published

2025-01-18

Title

Tiki Time <= 1.3 - Reflected Cross-Site Scripting