Security vulnerabilities within popular content management systems, such as WordPress, can have far-reaching impacts on millions of websites. A recent example of this is the discovery of a Stored Cross-Site Scripting (XSS) vulnerability within the Prime Slider – Addons For Elementor plugin, which is widely used for creating sliders on WordPress websites.

This post will break down the vulnerability details, the vulnerable code snippets, and the risks associated with the exploit, in addition to providing links to original references for further information.

Vulnerability Details

The Prime Slider – Addons For Elementor plugin in all versions up to and including 3.14.1 contains a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping on user-supplied attributes. Specifically, the vulnerability exists within the Page Piling widget of the plugin.

The vulnerable code exists in the following file and function

/inc/widgets/prime-slider/pagepiling.php

public function parse_text_editor( $content, $object ) {
  $settings = $object->get_settings_for_display();

  $this->allowed_html['iframe'] = [
    'src' => [],
    'width' => [],
    'height' => [],
    'frameborder' => []
  ];

  $this->allowed_protocols[] = 'javascript';

  return wp_kses( $content, $this->allowed_html, $this->allowed_protocols );
}

Exploit Details

The prime_slider_pagepiling_content attribute within the Pagepiling widget does not properly sanitize user input, allowing authenticated attackers with contributor-level access or above to inject arbitrary web scripts or HTML. When a user accesses an injected page, this can lead to the execution of malicious scripts.

Potential risks associated with this vulnerability include stealing user session cookies, defacement of the website, phishing attacks, or other malicious actions.

Original References

1. Description of Vulnerability: Wordfence Blog
2. Official WordPress Plugin Repository: Prime Slider – Addons For Elementor
3. Official CVE Details: CVE-2024-3997

Conclusion

Stored Cross-Site Scripting vulnerabilities are a persistent issue within web applications, and often exist due to insufficient input sanitization and output escaping. In this case, the Prime Slider – Addons For Elementor plugin for WordPress is affected by a Stored XSS vulnerability in the Pagepiling widget.

WordPress site owners should ensure that they update the plugin to the latest version, 3.14.2 or later, to protect their websites from potential exploitation.

Timeline

Published on: 05/23/2024 11:15:24 UTC
Last modified on: 06/04/2024 17:31:48 UTC