CVE-2024-32682 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-32682?

CVE-2024-32682 has a CVSS score of 7.1 (HIGH). This CVE describes a Missing Authorization vulnerability in the WordPress Prime Slider plugin for Elementor. It allows attackers to perform unauthorized actions due to broken access control. All WordPress sites using affected versions of the plugin are vulnerable.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the WordPress Prime Slider plugin for Elementor. It allows attackers to perform unauthorized actions due to broken access control. All WordPress sites using affected versions of the plugin are vulnerable.

💻 Affected Systems

Products:

BdThemes Prime Slider – Addons For Elementor

Versions: All versions through 3.13.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both free and premium versions. Requires WordPress with Elementor plugin installed.

📦 What is this software?

Prime Slider by Bdthemes

View all CVEs affecting Prime Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings, inject malicious content, or potentially escalate privileges to compromise the entire WordPress site.

🟠

Likely Case

Unauthorized users could modify slider content, change plugin configurations, or deface website elements.

🟢

If Mitigated

With proper authorization checks, only authenticated administrators could modify plugin settings.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization typically means simple HTTP requests can trigger unauthorized actions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.3 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/bdthemes-prime-slider-lite/wordpress-prime-slider-plugin-3-13-2-broken-access-control-vulnerability-2

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Prime Slider – Addons For Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, download version 3.13.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate bdthemes-prime-slider-lite

🧯 If You Can't Patch

Remove the Prime Slider plugin completely
Implement web application firewall rules to block unauthorized access to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Prime Slider version. If version is 3.13.2 or earlier, you are vulnerable.

Check Version:

wp plugin get bdthemes-prime-slider-lite --field=version

Verify Fix Applied:

Verify plugin version is 3.13.3 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with prime_slider actions
Unusual modifications to slider content by non-admin users

Network Indicators:

HTTP requests to plugin-specific endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action="*prime_slider*") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-32682

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-862

Published: April 22, 2024

Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32682, you might also want to check these: