CVE-2024-10149 is a medium-severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) found in the Social Slider Feed WordPress plugin versions prior to 2.2.9. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to inject and store malicious scripts. This stored XSS can be triggered even when the WordPress unfiltered_html capability is disabled, which is a common restriction in multisite environments to prevent script injection. The attack vector requires network access (remote) and high privileges (admin-level), with user interaction needed to trigger the malicious payload. The vulnerability impacts confidentiality and integrity by enabling script execution in the context of the victim’s browser, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress admin interface. The CVSS 3.1 base score is 4.8 (medium), reflecting the moderate impact and exploitation complexity. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability affects the Social Slider Feed plugin, which is used to display social media feeds on WordPress sites, but the exact vendor is unknown. The vulnerability’s scope is limited to WordPress sites using this plugin and having high-privilege users who can modify plugin settings.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the Social Slider Feed plugin installed. If exploited, attackers could execute malicious scripts in the context of the admin user, potentially leading to unauthorized administrative actions, data leakage, or further compromise of the website and connected systems. This could impact the confidentiality and integrity of sensitive information managed via the WordPress backend, including customer data, internal communications, or content management. Given the reliance on WordPress for many corporate and governmental websites in Europe, especially small and medium enterprises and public sector entities, exploitation could disrupt services or damage reputations. However, the requirement for high privileges and user interaction limits the attack surface. The absence of known exploits reduces immediate threat but does not eliminate risk, especially if attackers develop proof-of-concept exploits. Organizations using multisite WordPress setups should be particularly cautious as the vulnerability bypasses unfiltered_html restrictions common in such environments.

European organizations should take the following specific actions: 1) Immediately identify and inventory WordPress sites using the Social Slider Feed plugin, including multisite installations. 2) Upgrade the plugin to version 2.2.9 or later once available, or apply vendor-provided patches as soon as they are released. 3) Restrict administrative privileges strictly to trusted personnel and enforce strong authentication mechanisms (e.g., MFA) to reduce the risk of privilege abuse. 4) Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads. 5) Regularly audit plugin settings and user inputs for suspicious content, especially from high-privilege users. 6) Monitor web server and application logs for unusual activity that may indicate exploitation attempts. 7) Consider disabling or replacing the plugin if immediate patching is not possible, especially on critical or public-facing sites. 8) Educate administrators about the risks of stored XSS and safe plugin configuration practices. These measures go beyond generic advice by focusing on privilege management, proactive detection, and layered defenses tailored to the plugin’s context.