Login Sign Up

CVE-2016-10974

8.8 HIGH
Cross-Site Scripting CSRF

📋 TL;DR

This vulnerability in the fluid-responsive-slideshow WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to stored Cross-Site Scripting (XSS). Attackers can trick authenticated administrators into executing malicious actions, which then inject persistent JavaScript payloads into the website. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WordPress fluid-responsive-slideshow plugin
Versions: All versions before 2.2.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires plugin activation and administrator interaction with malicious content.

📦 What is this software?

Fluid Responsive Slideshow by Tonjoostudio

View all CVEs affecting Fluid Responsive Slideshow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through administrative account compromise, data theft, malware distribution to visitors, and defacement.

🟠

Likely Case

Site defacement, cookie theft from administrators, redirection to malicious sites, and potential credential harvesting.

🟢

If Mitigated

Limited impact with proper CSRF protections and content security policies in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated administrators but uses simple CSRF+XSS techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.7

Vendor Advisory: https://wordpress.org/plugins/fluid-responsive-slideshow/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Fluid Responsive Slideshow'. 4. Click 'Update Now' if available. 5. If not, download version 2.2.7+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate fluid-responsive-slideshow

Implement CSRF Protection

all

Add WordPress nonce verification to plugin forms if custom patching is possible.

Add wp_nonce_field() and wp_verify_nonce() to frs_save functionality

🧯 If You Can't Patch

  • Restrict administrator access to trusted networks only
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. Look for 'Fluid Responsive Slideshow' with version below 2.2.7.

Check Version:

wp plugin get fluid-responsive-slideshow --field=version

Verify Fix Applied:

Confirm plugin version is 2.2.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin-ajax.php with action=frs_save
  • Administrator accounts accessing suspicious external URLs

Network Indicators:

  • Unexpected JavaScript injection in plugin settings or slideshow content

SIEM Query:

source="wordpress.log" AND "frs_save" AND status=200

📊 Metadata

CVE ID: CVE-2016-10974
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: September 17, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10974, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)