CVE-2024-0611 in Master Slider Plugininfo

Summary

by MITRE • 03/02/2024

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slides callback functionality in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-0611 resides within the Master Slider plugin for WordPress, specifically targeting the slides callback functionality that allows for stored cross-site scripting attacks. This issue affects all versions up to and including 3.9.9, making it a significant security concern for WordPress installations that utilize this particular plugin. The vulnerability's impact is particularly severe because it leverages the privileged access of authenticated users with editor-level permissions, transforming what could be a simple content management flaw into a potential vector for widespread malicious activity.

The technical flaw manifests through the improper sanitization of user input within the slides callback feature, which is designed to allow customization of slider behavior through JavaScript callbacks. When editors create or modify slider slides, the plugin fails to adequately validate or escape the callback parameters, creating an environment where malicious scripts can be stored within the WordPress database. This stored payload executes whenever any user accesses pages containing the compromised slider content, effectively turning the vulnerable plugin into a persistent threat vector that can affect all visitors to affected sites.

The operational impact of this vulnerability extends beyond simple script execution, as it specifically targets multi-site WordPress installations where the unfiltered_html capability has been disabled. This restriction typically exists to prevent arbitrary code injection, yet the vulnerability bypasses these security measures by exploiting the legitimate callback functionality. Attackers with editor privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, data exfiltration, or further exploitation through techniques such as credential theft or browser-based attacks. The vulnerability's persistence stems from the stored nature of the XSS payload, meaning that once injected, it continues to affect users until manually removed from the database.

The security implications of this vulnerability align with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications, and can be mapped to ATT&CK technique T1566.001 for initial access through malicious content. Organizations affected by this vulnerability should immediately update to the latest plugin version where the XSS sanitization has been implemented, while also implementing additional monitoring for unauthorized modifications to slider configurations. The recommended mitigation strategy includes restricting editor privileges to only those users who absolutely require them, implementing proper input validation at multiple layers, and conducting regular security audits of plugin installations to ensure no unauthorized modifications have occurred. Additionally, administrators should consider implementing web application firewalls or content security policies as additional defensive measures to prevent exploitation of similar vulnerabilities in other components of their WordPress installations.

Responsible

Wordfence

Reservation

01/16/2024

Disclosure

03/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00656

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!