CVE-2024-45270: 
WordPress vulnerability analysis and mitigation

WordPress plugin 'Carousel Slider' version prior to 2.2.4 contains a cross-site request forgery (CSRF) vulnerability in the Hero image selection feature. The vulnerability was discovered in August 2024 and assigned CVE-2024-45270. The affected software is the Carousel Slider plugin provided by Sayful Islam for WordPress installations (JVN Report, NVD).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) with a CVSS v3.1 base score of 4.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The issue stems from missing or incorrect nonce validation on the addslidetemplate() function, which affects the Hero image selection feature (WPScan).

When exploited, this vulnerability allows unauthenticated attackers to add slides via forged requests if they can trick a site administrator into performing specific actions, such as clicking on a malicious link. While logged into the WordPress site with the Carousel Slider plugin enabled, accessing a crafted page may cause a user to alter the contents of the WordPress site (JVN Report).

The vulnerability has been patched in version 2.2.4 of the Carousel Slider plugin. Site administrators are advised to update to this version or later to mitigate the security risk. The fix includes adding nonce verification and permission checking on hero carousel ajax actions (WordPress Plugin).