CVE-2024-8283 – This vulnerability allows authenticated adminis... (How to Fix)

Q: What is the severity of CVE-2024-8283?

CVE-2024-8283 has a CVSS score of 4.8 (MEDIUM). This vulnerability allows authenticated administrators in WordPress to inject malicious scripts into plugin settings, which then execute when other users view affected pages. It affects WordPress sites using the Slider by 10Web plugin before version 1.2.59, particularly in multisite configurations where unfiltered_html capability is restricted.

📋 TL;DR

This vulnerability allows authenticated administrators in WordPress to inject malicious scripts into plugin settings, which then execute when other users view affected pages. It affects WordPress sites using the Slider by 10Web plugin before version 1.2.59, particularly in multisite configurations where unfiltered_html capability is restricted.

💻 Affected Systems

Products:

Slider by 10Web WordPress Plugin

Versions: All versions before 1.2.59

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin. Most impactful in multisite setups where unfiltered_html is disallowed.

📦 What is this software?

Slider by 10web

View all CVEs affecting Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Malicious admin injects JavaScript payloads that execute when other users view plugin settings pages, potentially compromising user accounts or spreading malware.

🟢

If Mitigated

With proper access controls limiting admin privileges and regular security updates, impact is minimal as exploitation requires high-privilege access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access to WordPress. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.59

Vendor Advisory: https://wpscan.com/vulnerability/a60aed55-c0a2-4912-8844-cdddf31d90b6/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Slider by 10Web' and click 'Update Now'. 4. Verify version is 1.2.59 or later.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily deactivate and remove the plugin if not essential

wp plugin deactivate slider-by-10web
wp plugin delete slider-by-10web

Restrict admin access

all

Limit number of users with admin privileges and implement strong authentication

🧯 If You Can't Patch

Implement strict access controls to limit admin privileges to trusted users only
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Slider by 10Web. If version is below 1.2.59, system is vulnerable.

Check Version:

wp plugin get slider-by-10web --field=version

Verify Fix Applied:

Confirm plugin version is 1.2.59 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying plugin settings
JavaScript payloads in plugin configuration data

Network Indicators:

Unexpected outbound connections from WordPress admin pages
Suspicious script tags in HTTP responses

SIEM Query:

source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="slider-by-10web"

📊 Metadata

CVE ID: CVE-2024-8283

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: September 30, 2024

Last Updated: October 7, 2024

🔗 References

https://wpscan.com/vulnerability/a60aed55-c0a2-4912-8844-cdddf31d90b6/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8283, you might also want to check these: