CVE-2024-5640
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into web pages using the Prime Slider plugin's Pacific widget. The stored XSS payload executes whenever users visit the compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- Prime Slider – Addons For Elementor (WordPress plugin)
📦 What is this software?
Prime Slider by Bdthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user data, display unwanted content, or redirect visitors to phishing sites.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or minor data leakage from affected pages only.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is well-documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.14.8 or later
Vendor Advisory: https://wordpress.org/plugins/bdthemes-prime-slider-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Prime Slider – Addons For Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Pacific Widget
allTemporarily disable the vulnerable Pacific widget component
Navigate to WordPress admin → Elementor → Settings → Advanced → Disable Pacific widget
Restrict User Roles
allLimit contributor-level access to trusted users only
Use WordPress role management plugins to restrict contributor capabilities
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Remove contributor access for untrusted users and audit existing contributor accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Prime Slider version. If version is 3.14.7 or lower, you are vulnerable.Check Version:
wp plugin list --name='Prime Slider' --field=versionVerify Fix Applied:
After updating, verify version shows 3.14.8 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Pacific widget endpoints
- Multiple page edits by contributor-level users
- Script tags containing unusual attributes in page content
Network Indicators:
- Unexpected script loads from compromised pages
- Data exfiltration to external domains
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "pacific") OR (event_type="page_edit" AND user_role="contributor")🔗 References
- https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/3.14.7/modules/pacific/widgets/pacific.php#L1462
- https://plugins.trac.wordpress.org/changeset/3097891/#file372
- https://wordpress.org/plugins/bdthemes-prime-slider-lite/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9820b52b-540a-47e8-9e5f-274ef1720ffa?source=cve
- https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/3.14.7/modules/pacific/widgets/pacific.php#L1462
- https://plugins.trac.wordpress.org/changeset/3097891/#file372
- https://wordpress.org/plugins/bdthemes-prime-slider-lite/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9820b52b-540a-47e8-9e5f-274ef1720ffa?source=cve
