CVE-2025-66092 in Accordion Slider Plugin
Summary
by MITRE • 11/21/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bqworks Accordion Slider accordion-slider allows Stored XSS.This issue affects Accordion Slider: from n/a through <= 1.9.13.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/28/2025
The CVE-2025-66092 vulnerability represents a critical cross-site scripting flaw within the bqworks Accordion Slider plugin, specifically impacting versions through 1.9.13. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, where malicious input is improperly handled during web page generation, creating persistent security risks for affected websites. The flaw enables attackers to inject malicious scripts that execute in the context of other users' browsers, potentially compromising user sessions and data integrity.
The technical implementation of this vulnerability occurs during the web page generation process where user input is not adequately sanitized or escaped before being rendered in the slider interface. Attackers can leverage this weakness by submitting malicious payloads through the plugin's input fields, which are then stored within the plugin's database or configuration settings. These stored scripts persist and execute whenever affected pages are loaded, making this a stored XSS vulnerability rather than a reflected one. The vulnerability specifically affects the accordion-slider functionality, where user-generated content or configuration parameters are processed without proper input validation mechanisms.
The operational impact of CVE-2025-66092 extends beyond simple script execution, as it can enable attackers to perform session hijacking, deface websites, steal sensitive user information, or redirect victims to malicious domains. The stored nature of the vulnerability means that once exploited, the malicious scripts remain active until manually removed from the plugin's configuration, potentially affecting all users who access pages containing the vulnerable accordion slider. This persistent threat can lead to long-term compromise of website security and user trust, particularly in environments where the plugin is widely used across multiple pages or sections of a website.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the bqworks Accordion Slider plugin where the XSS flaw has been patched. Additionally, administrators should conduct thorough security assessments of all web applications using this plugin, review existing configurations for any malicious payloads, and implement proper input validation and output escaping mechanisms. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious web content, and T1071.001 for application layer protocol usage. Security teams should also consider implementing content security policies and regular security scanning to prevent similar vulnerabilities from persisting in other components of their web infrastructure.