CVE-2024-6490 – This CSRF vulnerability in the Master Slider Wo... (How to Fix)

Q: What is the severity of CVE-2024-6490?

CVE-2024-6490 has a CVSS score of 6.5 (MEDIUM). This CSRF vulnerability in the Master Slider WordPress plugin allows attackers to trick authenticated administrators into unknowingly submitting malicious requests that delete all sliders. It affects WordPress sites using Master Slider plugin versions up to 3.9.10. Attackers can exploit this by luring administrators to malicious web pages while logged into their WordPress dashboard.

📋 TL;DR

This CSRF vulnerability in the Master Slider WordPress plugin allows attackers to trick authenticated administrators into unknowingly submitting malicious requests that delete all sliders. It affects WordPress sites using Master Slider plugin versions up to 3.9.10. Attackers can exploit this by luring administrators to malicious web pages while logged into their WordPress dashboard.

💻 Affected Systems

Products:

Master Slider WordPress plugin

Versions: through 3.9.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator to be logged in and visit malicious page while authenticated.

📦 What is this software?

Master Slider by Averta

View all CVEs affecting Master Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

All Master Slider content is permanently deleted, causing website functionality loss and requiring restoration from backups.

🟠

Likely Case

Attackers delete slider content, disrupting website appearance and functionality until restoration.

🟢

If Mitigated

With proper CSRF protections, the attack fails and no sliders are deleted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated administrators.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.11 or later

Vendor Advisory: https://wpscan.com/vulnerability/5a56e5aa-841d-4be5-84da-4c3b7602f053/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Master Slider and click 'Update Now'. 4. Verify version is 3.9.11 or higher.

🔧 Temporary Workarounds

CSRF Protection via WordPress Nonce

all

Add CSRF protection to Master Slider delete functionality

Requires code modification - not recommended for non-developers

Restrict Administrator Access

all

Limit administrator access to trusted networks only

🧯 If You Can't Patch

Disable Master Slider plugin temporarily
Implement web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Master Slider version

Check Version:

wp plugin list --name='master-slider' --field=version

Verify Fix Applied:

Confirm Master Slider version is 3.9.11 or higher in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

Multiple slider delete requests from same administrator session
Unusual POST requests to master-slider admin endpoints

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=delete_slider
Referer headers pointing to external domains

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "delete_slider")

📊 Metadata

CVE ID: CVE-2024-6490

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-352

Published: July 26, 2024

Last Updated: May 27, 2025

🔗 References

https://wpscan.com/vulnerability/5a56e5aa-841d-4be5-84da-4c3b7602f053/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/5a56e5aa-841d-4be5-84da-4c3b7602f053/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6490, you might also want to check these: