CVE-2024-10149: 
WordPress vulnerability analysis and mitigation

CVE-2024-10149 affects the Social Slider Feed WordPress plugin versions before 2.2.9. The vulnerability was discovered by Dmitrii Ignatyev and was published on May 15, 2025. This security flaw exists in the plugin's settings functionality, where certain parameters are not properly sanitized and escaped (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The security flaw specifically relates to inadequate sanitization and escaping of plugin settings, which can be exploited even when the unfiltered_html capability is disabled in multisite setups (NVD, WPScan).

The vulnerability allows authenticated users with administrative privileges to store and execute malicious JavaScript code in the plugin's settings. This could potentially affect other users who access the affected pages, even in environments where unfiltered HTML is typically restricted (Wiz).

Users should upgrade to Social Slider Feed version 2.2.9 or later, which contains the fix for this vulnerability (WPScan).