CVE-2024-4375 in Master Slider Plugin
Summary
by MITRE • 06/18/2024
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_layer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'css_id' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/23/2025
The vulnerability identified as CVE-2024-4375 affects the Master Slider plugin for WordPress, specifically targeting versions up to and including 3.9.10. This represents a critical security flaw that enables authenticated attackers with contributor-level privileges or higher to execute stored cross-site scripting attacks. The vulnerability manifests through the plugin's 'ms_layer' shortcode implementation, where user-supplied input fails to undergo proper sanitization and escaping processes. The affected attribute 'css_id' serves as the attack vector, allowing malicious actors to inject malicious scripts that persist within the plugin's data storage mechanisms.
The technical exploitation of this vulnerability occurs through the insufficient input validation and output escaping mechanisms within the Master Slider plugin's shortcode processing. When administrators or users with contributor privileges create or modify content using the 'ms_layer' shortcode and provide malicious input in the 'css_id' parameter, the system fails to properly sanitize this data before storing it in the WordPress database. This stored malicious content then executes whenever any user accesses pages containing the vulnerable shortcode, creating a persistent XSS attack vector that can affect multiple users without requiring additional authentication.
From an operational impact perspective, this vulnerability presents significant risks to WordPress installations using the affected Master Slider plugin. Contributors and above typically have the ability to create and edit posts, pages, and media content within WordPress, making this attack vector particularly dangerous as it can be exploited by users who already possess elevated privileges within the content management system. The stored nature of the XSS attack means that malicious scripts can affect any user who views the compromised content, potentially leading to session hijacking, data theft, or further system compromise. The vulnerability essentially transforms legitimate content creation capabilities into attack vectors for persistent malicious code execution.
Security professionals should consider this vulnerability in relation to CWE-79, which specifically addresses cross-site scripting flaws, and the ATT&CK framework's T1566.001 technique for initial access through spearphishing attachments or links. The mitigation strategy should include immediate patching to version 3.9.11 or later, which addresses the input sanitization and output escaping deficiencies. Additionally, administrators should implement network monitoring to detect suspicious shortcode usage patterns and consider restricting contributor-level access to plugin shortcode functionalities where possible. Regular security audits of WordPress plugins should be conducted to identify similar vulnerabilities, and implementing a robust content security policy can help mitigate the impact of successful XSS attacks even when vulnerabilities exist.