CVE-2025-1203 in Slider, Gallery, and Carousel Plugin
Summary
by MITRE • 03/24/2025
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/08/2025
The vulnerability identified as CVE-2025-1203 affects the Slider Gallery and Carousel by MetaSlider WordPress plugin version prior to 3.95.0, representing a critical security flaw that undermines the integrity of WordPress multisite environments. This issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's administrative interfaces, creating an avenue for privilege escalation through stored cross-site scripting attacks. The vulnerability specifically targets high-privilege user roles such as editors, who despite lacking the unfiltered_html capability in multisite configurations, can exploit this flaw to inject malicious scripts into the plugin's settings. The technical implementation fails to properly validate and escape user-supplied data before storing it in the database, creating a persistent vector for attackers to execute malicious code within the context of authenticated admin sessions.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers with editor-level privileges to bypass WordPress security restrictions designed to prevent HTML injection in multisite environments. When unfiltered_html is explicitly disallowed, typically through multisite network settings or custom capability management, the vulnerability becomes particularly dangerous as it allows attackers to circumvent these protections through the plugin's settings interface. The stored nature of the XSS attack means that malicious scripts are permanently embedded within the plugin configuration, ensuring that every subsequent access to the affected admin areas or frontend displays will execute the injected code. This creates a persistent threat that can compromise user sessions, steal sensitive data, or redirect users to malicious sites, particularly when the compromised editor accounts are used for routine administrative tasks.
Security professionals should recognize this vulnerability as a direct violation of CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications. The flaw demonstrates poor input validation and output escaping practices that align with ATT&CK technique T1548.003, focusing on privilege escalation through modification of application code or configuration. The vulnerability's exploitation requires minimal prerequisites since it targets roles that are typically granted administrative access within WordPress multisite setups, making it particularly attractive to attackers seeking persistent access. Mitigation strategies must include immediate plugin updates to version 3.95.0 or later, which addresses the sanitization issues through proper input validation and output escaping mechanisms. Organizations should also implement additional security measures such as monitoring for unauthorized plugin modifications, restricting editor capabilities where possible, and conducting regular security audits of installed plugins to identify similar vulnerabilities. The remediation process should involve thorough testing of the updated plugin to ensure compatibility with existing configurations while verifying that the XSS vulnerability has been completely eliminated through proper sanitization of all user inputs.