CVE-2024-3285 in Slider, Gallery, and Carousel Plugin
Summary
by MITRE • 04/11/2024
The Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'metaslider' shortcode in all versions up to, and including, 3.70.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/06/2025
The vulnerability identified as CVE-2024-3285 affects the Slider Gallery and Carousel by MetaSlider plugin for WordPress, a widely used responsive slideshow solution that has been installed on numerous websites worldwide. This plugin enables users to create dynamic image galleries and carousels through shortcode implementation, making it a popular choice among WordPress content creators and developers. The vulnerability exists within the plugin's handling of the 'metaslider' shortcode, which processes user-supplied attributes to generate dynamic content on web pages. The flaw specifically manifests in the plugin's failure to properly sanitize and escape user input before rendering it in the output, creating a persistent cross-site scripting vulnerability that can be exploited by authenticated attackers.
The technical nature of this vulnerability stems from insufficient input validation and output escaping mechanisms within the plugin's shortcode processing functionality. When administrators or users with contributor-level privileges and above create or modify slideshow content using the metaslider shortcode, they can inject malicious JavaScript code through attributes that are not properly sanitized. This stored XSS vulnerability allows attackers to embed malicious scripts that will execute in the context of any user who views pages containing the compromised shortcode. The vulnerability affects all versions of the plugin up to and including version 3.70.0, indicating that the security flaw has existed for an extended period without proper remediation. This type of vulnerability is categorized under CWE-79: Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly escape or sanitize user-provided data before incorporating it into web page content.
The operational impact of this vulnerability is significant for WordPress websites utilizing the affected plugin, as it provides authenticated attackers with a persistent means of executing arbitrary code on victim systems. Attackers with contributor-level access can inject malicious scripts that will execute whenever legitimate users view pages containing the compromised slideshow content, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The vulnerability's persistence stems from the fact that the malicious code is stored within the plugin's shortcode attributes and remains embedded in the website's content until manually removed. This makes it particularly dangerous as the malicious code can affect any user who accesses pages containing the compromised slideshow elements, regardless of their privilege level or authentication status. The vulnerability's exploitation requires minimal technical expertise, as attackers only need to leverage existing contributor-level privileges to inject malicious payloads.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that address the XSS flaw, as well as implementing additional security measures to prevent unauthorized access to contributor-level accounts. Organizations should prioritize updating to the latest stable version of the MetaSlider plugin where the vulnerability has been patched, typically following the release of version 3.71.0 or later. Network administrators should also implement proper access controls and privilege management to limit who can create or modify slideshow content, as well as consider implementing content security policies to prevent execution of unauthorized scripts. Additionally, regular security audits of WordPress installations should include verification of plugin versions and identification of any outdated or vulnerable components that may present similar security risks. The vulnerability aligns with ATT&CK technique T1546.001: Event Triggered Execution, as it allows for persistent code execution through legitimate plugin functionality that can be triggered by user interactions with compromised content.