CVE-2024-13757 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2024-13757?

CVE-2024-13757 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Master Slider plugin's ms_layer shortcode. The scripts execute whenever users visit the compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using Master Slider version 3.10.6 or earlier are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Master Slider plugin's ms_layer shortcode. The scripts execute whenever users visit the compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using Master Slider version 3.10.6 or earlier are affected.

💻 Affected Systems

Products:

Master Slider – Responsive Touch Slider WordPress Plugin

Versions: All versions up to and including 3.10.6

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Master Slider plugin enabled. Contributor-level or higher user access is needed for exploitation.

📦 What is this software?

Master Slider by Averta

View all CVEs affecting Master Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to WordPress sites, steal sensitive user data, install backdoors, or redirect visitors to malicious sites, potentially compromising the entire website and its users.

🟠

Likely Case

Attackers with contributor access inject malicious scripts that steal session cookies from administrators or visitors, leading to account takeover and limited site defacement.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to minor site defacement or script injection that doesn't execute due to CSP restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has contributor-level credentials. Public proof-of-concept exists in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.7 or later

Vendor Advisory: https://wordpress.org/plugins/master-slider/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Master Slider plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 3.10.7+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Master Slider Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate master-slider

Restrict User Roles

all

Temporarily remove contributor-level posting permissions or downgrade suspicious accounts

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Monitor and audit user accounts with contributor-level access or higher

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Master Slider → Version number. If version is 3.10.6 or lower, you are vulnerable.

Check Version:

wp plugin get master-slider --field=version

Verify Fix Applied:

After updating, verify Master Slider version is 3.10.7 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/post.php with ms_layer shortcode parameters
Multiple failed login attempts followed by successful contributor-level login

Network Indicators:

Unexpected script tags in page responses containing ms_layer attributes
External JavaScript loading from unusual domains in page content

SIEM Query:

source="wordpress.log" AND ("ms_layer" OR "master-slider") AND ("script" OR "javascript" OR "onclick")

📊 Metadata

CVE ID: CVE-2024-13757

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (25.3th percentile)

Published: March 5, 2025

Last Updated: May 26, 2025

🔗 References

https://plugins.trac.wordpress.org/browser/master-slider/trunk/includes/msp-shortcodes.php#L815 Product
https://wordpress.org/plugins/master-slider/#developers Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/26a7fb51-f40d-46b8-9f52-495716032a1b?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13757, you might also want to check these: