CVE-2025-1062 in Slider, Gallery, and Carousel Plugin
Summary
by MITRE • 03/24/2025
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2025
The vulnerability identified as CVE-2025-1062 affects the Slider Gallery and Carousel by MetaSlider WordPress plugin version 3.95.0 and earlier. This represents a critical security flaw that enables stored cross-site scripting attacks through improper input sanitization and output escaping mechanisms within the plugin's administrative settings. The issue specifically targets high-privilege users such as administrators who possess the capability to modify plugin configurations, making it particularly dangerous in multi-site WordPress environments where security controls are more stringent.
The technical flaw stems from the plugin's failure to properly sanitize user-provided input data before storing it in the WordPress database and subsequently rendering it in administrative interfaces. When administrators configure slider, gallery, or carousel settings through the WordPress admin panel, the plugin processes certain parameters without adequate sanitization measures. This allows malicious code to be injected into the plugin's configuration settings, which then gets executed whenever the affected administrative pages are accessed by other privileged users. The vulnerability persists because the plugin does not employ proper escaping functions when outputting stored data back to the browser, creating a classic stored XSS vector.
The operational impact of this vulnerability is significant for WordPress installations using the affected MetaSlider plugin, particularly in multi-site configurations where the unfiltered_html capability is typically restricted to prevent arbitrary HTML injection. Attackers can exploit this weakness to execute malicious scripts in the context of the administrator's browser session, potentially leading to complete compromise of the affected WordPress installation. The vulnerability becomes especially dangerous when combined with the restriction of unfiltered_html capability, as it allows attackers to bypass normal security controls that would otherwise prevent such injections. This creates a scenario where even properly configured multi-site environments can be compromised through a single vulnerable plugin component.
Organizations should immediately update to MetaSlider plugin version 3.95.0 or later to remediate this vulnerability. The fix implemented in version 3.95.0 includes proper input sanitization and output escaping mechanisms that prevent malicious code from being stored or executed. System administrators should also review existing plugin configurations to identify any potentially compromised settings, particularly in environments where multiple administrators have access to plugin settings. The vulnerability aligns with CWE-79, which addresses cross-site scripting flaws, and represents a specific case where privilege escalation combined with inadequate input validation creates a persistent security risk. From an ATT&CK framework perspective, this vulnerability maps to T1548.001, which covers privilege escalation through the use of administrative credentials, and T1190, which involves exploitation of vulnerabilities in web applications. Regular security audits of WordPress plugins and their configurations should be implemented to identify similar sanitization issues across the entire WordPress ecosystem.