CVE-2024-35722 – This CVE describes a Missing Authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the WordPress Slider Responsive Slideshow plugin that allows unauthorized users to perform actions that should require authentication. It affects all WordPress sites using this plugin from any version up to and including 1.4.0. Attackers could potentially modify slideshow content or settings without proper permissions.

💻 Affected Systems

Products:

Slider Responsive Slideshow – Image slider, Gallery slideshow WordPress plugin

Versions: All versions up to and including 1.4.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with this plugin active. No special configuration required.

📦 What is this software?

Slider Responsive Slideshow by Awplife

View all CVEs affecting Slider Responsive Slideshow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could modify or delete slideshow content, inject malicious code into slides, or disrupt website functionality by altering slider settings.

🟠

Likely Case

Low-privileged users or attackers could modify slideshow content they shouldn't have access to, potentially defacing websites or inserting unwanted content.

🟢

If Mitigated

With proper access controls and authentication checks, only authorized administrators could modify slideshow settings and content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/slider-responsive-slideshow/wordpress-slider-responsive-slideshow-image-slider-gallery-slideshow-plugin-1-4-0-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Slider Responsive Slideshow'
4. Click 'Update Now' if update is available
5. If no update appears, manually download version 1.4.1+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate slider-responsive-slideshow

Restrict Access

all

Use web application firewall rules to restrict access to plugin admin functions

🧯 If You Can't Patch

Disable the Slider Responsive Slideshow plugin immediately
Implement strict access controls and monitor for unauthorized modification attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Slider Responsive Slideshow' version 1.4.0 or earlier

Check Version:

wp plugin get slider-responsive-slideshow --field=version

Verify Fix Applied:

Verify plugin version is 1.4.1 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to plugin admin endpoints
Unexpected modifications to slideshow settings or content

Network Indicators:

Unusual traffic to /wp-content/plugins/slider-responsive-slideshow/ endpoints from unauthenticated users

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "slider-responsive-slideshow") AND http_method="POST" AND user="-"

📊 Metadata

CVE ID: CVE-2024-35722

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: June 10, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35722, you might also want to check these: