CVE-2025-9372 in Ultimate Multi Design Video Carousel Plugin
Summary
by MITRE • 10/03/2025
The Ultimate Multi Design Video Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/07/2026
The Ultimate Multi Design Video Carousel plugin for WordPress represents a significant security vulnerability through its susceptibility to stored cross-site scripting attacks affecting versions up to and including 14. This flaw resides in the plugin's inadequate input sanitization and output escaping mechanisms, creating a persistent threat vector that can be exploited by authenticated attackers possessing editor-level privileges. The vulnerability specifically targets multi-site WordPress installations where the unfiltered_html capability has been disabled, making it particularly concerning for organizations that rely on WordPress's security model to control content permissions and prevent malicious script injection.
The technical nature of this vulnerability stems from the plugin's failure to properly sanitize user inputs before storing them in the database and subsequently rendering them on web pages without adequate output escaping. When an authenticated editor creates or modifies content through the plugin's interface, malicious scripts can be embedded within the data that gets stored. These scripts then execute whenever any user accesses the affected pages, creating a persistent XSS attack vector that can compromise user sessions, steal cookies, or redirect users to malicious sites. The vulnerability's impact is amplified in multi-site environments where the attack can potentially affect multiple sites within a single network, and the requirement for unfiltered_html to be disabled means that even administrators who have implemented additional security measures are still vulnerable.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges within the WordPress environment and potentially gain access to sensitive user data or administrative functions. Attackers can craft malicious payloads that persist in the database, ensuring that every page load triggers the execution of their malicious code. This persistent nature makes the vulnerability particularly dangerous for content management systems where editors regularly update content, as the attack surface expands with each content modification. The restriction to multi-site installations and environments with disabled unfiltered_html creates a specific attack profile that security teams must consider when evaluating their WordPress security posture, particularly in enterprise environments where such configurations are common.
Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization and escaping issues, combined with implementing additional security controls such as role-based access restrictions and content filtering. Organizations should also consider implementing web application firewalls to detect and block suspicious script patterns, while establishing monitoring protocols to identify unauthorized content modifications. The vulnerability aligns with CWE-79, which addresses cross-site scripting flaws, and represents a significant concern under ATT&CK framework's T1548.003 technique for privilege escalation through malicious content injection. Security teams must also ensure that WordPress core and plugin updates are regularly applied, as this vulnerability demonstrates the critical importance of maintaining current security patches to prevent exploitation of known flaws.