CVE-2024-7150 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2024-7150?

CVE-2024-7150 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform time-based SQL injection attacks through the Slider by 10Web plugin. Attackers can extract sensitive database information by manipulating the 'id' parameter. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform time-based SQL injection attacks through the Slider by 10Web plugin. Attackers can extract sensitive database information by manipulating the 'id' parameter. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Slider by 10Web – Responsive Image Slider WordPress plugin

Versions: All versions up to and including 1.2.57

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with at least Contributor role. Plugin must be active and in use.

📦 What is this software?

Slider by 10web

View all CVEs affecting Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of user credentials, sensitive content, and potentially privilege escalation to full site control.

🟠

Likely Case

Data exfiltration of sensitive information from WordPress database tables including user data, posts, and plugin-specific information.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are in place, though database information could still be exposed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Time-based SQL injection requires authentication but is straightforward to exploit with basic SQL knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.58 or later

Vendor Advisory: https://wordpress.org/plugins/slider-wd/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Slider by 10Web' and click 'Update Now'. 4. Verify plugin version is 1.2.58 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Slider by 10Web plugin until patched

wp plugin deactivate slider-wd

Restrict user roles

all

Limit Contributor and higher roles to trusted users only

🧯 If You Can't Patch

Remove Contributor and higher roles from untrusted users
Implement web application firewall with SQL injection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Slider by 10Web version number

Check Version:

wp plugin get slider-wd --field=version

Verify Fix Applied:

Confirm plugin version is 1.2.58 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress debug logs
Multiple requests with varying 'id' parameters and timing patterns

Network Indicators:

Repeated POST requests to slider-wd endpoints with SQL-like payloads

SIEM Query:

source="wordpress" AND (uri_path="*slider-wd*" AND (query_string="*SLEEP*" OR query_string="*BENCHMARK*" OR query_string="*WAITFOR*"))

📊 Metadata

CVE ID: CVE-2024-7150

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 8, 2024

Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7150, you might also want to check these: