Login Sign Up

CVE-2024-8107

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

The Slider Revolution WordPress plugin allows authenticated attackers with Author-level access or higher to upload malicious SVG files containing cross-site scripting payloads. These scripts execute when users view the SVG files, potentially compromising visitor browsers. By default only administrators can exploit this, but plugin permissions can be extended to authors.

💻 Affected Systems

Products:
  • Slider Revolution WordPress Plugin
Versions: All versions up to and including 6.7.18
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires SVG upload functionality enabled and user with at least Author role permissions.

📦 What is this software?

Slider Revolution by Themepunch

View all CVEs affecting Slider Revolution →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers with author access inject malicious scripts to steal visitor session cookies or credentials, potentially leading to account compromise.

🟢

If Mitigated

With proper user access controls limiting who can upload SVG files, impact is reduced to only trusted administrators.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is technically simple - just uploading a malicious SVG file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.7.19

Vendor Advisory: https://www.sliderrevolution.com/documentation/changelog/#6-7-19

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Slider Revolution. 4. Click 'Update Now' if available, or download version 6.7.19+ from sliderrevolution.com. 5. Upload and activate the updated plugin.

🔧 Temporary Workarounds

Disable SVG Uploads

all

Prevent SVG file uploads through WordPress configuration or security plugins

Restrict User Roles

all

Limit Slider Revolution plugin access to Administrators only

🧯 If You Can't Patch

  • Remove Slider Revolution plugin entirely if not needed
  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Slider Revolution → Version number. If version is 6.7.18 or lower, you are vulnerable.

Check Version:

wp plugin list --name=slider-revolution --field=version

Verify Fix Applied:

Verify Slider Revolution version is 6.7.19 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads by non-admin users
  • Multiple failed SVG upload attempts

Network Indicators:

  • Requests to SVG files with suspicious parameters or scripts in URLs

SIEM Query:

source="wordpress" AND (event="plugin_update" AND plugin="slider-revolution" AND version<="6.7.18") OR (event="file_upload" AND file_extension="svg" AND user_role!="administrator")

📊 Metadata

CVE ID: CVE-2024-8107
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: October 1, 2024
Last Updated: November 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8107, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)