CVE-2025-5337 in Slider, Gallery, and Carousel Plugin
Summary
by MITRE • 06/14/2025
The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/10/2025
The vulnerability identified as CVE-2025-5337 affects the Slider Gallery and Carousel by MetaSlider plugin for WordPress, representing a critical stored cross-site scripting vulnerability that undermines the security integrity of affected WordPress installations. This flaw exists within the plugin's handling of the 'aria-label' parameter, which is commonly used for accessibility purposes in web interfaces. The vulnerability impacts all versions up to and including 3.98.0, making it a widespread concern for WordPress administrators who have not yet updated their installations. The stored nature of this XSS vulnerability means that malicious scripts injected by attackers persist in the database and execute whenever affected pages are accessed by any user, regardless of their privilege level.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When the plugin processes user-supplied data through the 'aria-label' parameter, it fails to properly validate or sanitize the input before storing it in the database. Additionally, the output escaping mechanisms that should protect against XSS attacks are either missing or inadequate, allowing malicious scripts to be stored and subsequently executed in the browser context of unsuspecting users. This vulnerability specifically targets authenticated attackers who possess Contributor-level access or higher, which represents a significant threat vector since contributors can typically create and edit posts, upload media, and modify content within their assigned areas. The flaw aligns with CWE-79, which defines Cross-Site Scripting as a weakness that occurs when an application incorporates untrusted data into web pages without proper validation or escaping, making it one of the most prevalent and dangerous web application security vulnerabilities.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it provides attackers with the capability to execute arbitrary scripts in the context of the victim's browser session. This could enable attackers to steal session cookies, perform actions on behalf of users, redirect users to malicious sites, or even install malware on affected systems. The fact that this vulnerability affects authenticated users with Contributor-level access means that attackers who can gain access to such accounts can leverage this flaw to compromise the entire WordPress installation. The stored nature of the XSS vulnerability means that the malicious payload remains persistent, potentially affecting multiple users over extended periods. From an attacker's perspective, this vulnerability represents a low-effort, high-impact vector for maintaining access and conducting further reconnaissance within the WordPress environment. The ATT&CK framework categorizes this vulnerability under T1566, which covers Phishing with Malicious Attachments, as the malicious scripts could be used to create social engineering campaigns that exploit the trust users place in legitimate WordPress content.
Organizations affected by this vulnerability should immediately prioritize patching their MetaSlider plugin installations to versions that address the XSS flaw. The recommended mitigation strategy includes implementing proper input validation and output escaping mechanisms, which are fundamental security practices that align with the OWASP Top Ten security controls. Administrators should also consider implementing additional security measures such as web application firewalls, content security policies, and regular security audits of WordPress plugins and themes. The vulnerability demonstrates the critical importance of maintaining up-to-date software and conducting regular security assessments to identify and remediate potential attack vectors. Security teams should also implement monitoring solutions that can detect unusual activities or unauthorized content modifications that might indicate exploitation attempts. Given the severity of stored XSS vulnerabilities, administrators should also consider implementing role-based access controls and regular privilege reviews to minimize the potential impact of compromised accounts. The incident highlights the necessity of adopting a defense-in-depth approach to WordPress security, where multiple layers of protection work together to prevent successful exploitation of vulnerabilities like CVE-2025-5337.