CVE-2024-1859 in Slider Responsive Slideshow Plugin
Summary
by MITRE • 03/01/2024
The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-1859 affects the Slider Responsive Slideshow plugin for WordPress, specifically targeting versions up to and including 138. This represents a critical security flaw that exploits PHP Object Injection techniques within the awl_slider_responsive_shortcode function. The vulnerability demonstrates a classic deserialization flaw where untrusted user input is directly processed through PHP's unserialize() function without proper validation or sanitization measures. The attack vector requires authenticated access with contributor-level privileges or higher, making it particularly concerning for WordPress environments where multiple user roles exist. Security researchers have classified this vulnerability under CWE-502 which specifically addresses PHP Object Injection flaws that occur when untrusted data is passed to the unserialize() function. This weakness creates a pathway for attackers to manipulate object states during the deserialization process, potentially leading to arbitrary code execution or data compromise.
The operational impact of this vulnerability extends beyond simple privilege escalation as it creates potential for more severe consequences when combined with other vulnerable components within the WordPress ecosystem. While no known POP (Point of No Return) chain exists within the vulnerable plugin itself, the presence of such chains in other installed plugins or themes could enable attackers to achieve full system compromise. The vulnerability specifically targets authenticated users who can create or modify content, making it particularly dangerous in environments where contributors have access to the WordPress admin interface. Attackers could leverage this flaw to execute malicious PHP code on the target server, potentially leading to complete system takeover, data exfiltration, or persistent backdoor installation. The attack requires minimal privileges but can result in significant damage to the affected WordPress installation and its underlying infrastructure.
Mitigation strategies for CVE-2024-1859 should focus on immediate plugin updates to the latest secure versions where the deserialization vulnerability has been addressed. Organizations should implement strict input validation and sanitization measures for all user-supplied data that might be processed through PHP's unserialize() function. Security teams should also consider implementing web application firewalls with rules specifically designed to detect and block suspicious deserialization patterns. The principle of least privilege should be enforced by restricting contributor-level access to only necessary administrative functions, particularly those involving shortcode or widget creation. Regular security audits of installed WordPress plugins should include verification of deserialization practices and proper input handling. Additionally, monitoring for unusual file operations or unauthorized code modifications should be implemented as part of the overall security posture. Organizations should also consider implementing automated patch management systems to ensure timely updates across all WordPress installations and related components to prevent exploitation of similar vulnerabilities in the broader WordPress ecosystem.