Master Slider < 3.9.10 – Editor+ Stored XSS via slider callback | CVE 2024-0611 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the slides callback functionality. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 3.9.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ac6e587c-59b2-4f93-ab88-5e548b52db45

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Akbar Kustirama

Verified

No

WPVDB ID

50627a56-b1b6-4c88-8120-244fb6a31cd2

Timeline

Publicly Published

2024-03-01 (about 2 years ago)

Added

2024-03-01 (about 2 years ago)

Last Updated

2024-12-18 (about 1 year ago)

Other

Published

Title

Published

2023-01-17

Title

YaMaps for WordPress Plugin < 0.6.26 - Contributor+ Stored XSS

Published

2018-07-28

Title

Gwolle Guestbook <= 2.5.3 - Cross-Site Scripting (XSS)

Published

2025-05-07

Title

Quran multilanguage Text & Audio < 2.3.24 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Verification Code for Comments 2.1.0 - vcc.js.php Multiple Parameter Reflected XSS

Published

2024-08-16

Title

Button contact VR < 4.7.8 - Admin+ Stored XSS