JVN#25264194: Multiple vulnerabilities in WordPress plugin "Carousel Slider"

Overview

WordPress plugin "Carousel Slider" provided by Sayful Islam contains multiple vulnerabilities.

Products Affected

CVE-2024-45269

Carousel Slider versions prior to 2.0

CVE-2024-45270

Carousel Slider versions prior to 2.2.4

Description

WordPress plugin "Carousel Slider" provided by Sayful Islam contains 2 CSRF vulnerabilities listed below.

Cross-site request forgery on Carousel image selection feature (CWE-352)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2024-45269
Cross-site request forgery on Hero image selection feature (CWE-352)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2024-45270

Impact

While logged in to the WordPress site with Carousel Slider plugin enabled, accessing a crafted page may cause a user to alter the contents of the WordPress site.

Solution

Update the plugin
Update the plugin to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
Sayful Islam	GitHub Carousel Slider
	WordPress Carousel Slider

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

RyotaK of Flatt Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-45269
	CVE-2024-45270
JVN iPedia	JVNDB-2024-000092

JVN#25264194 Multiple vulnerabilities in WordPress plugin "Carousel Slider"