{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14278", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-08T17:05:36.951Z", "datePublished": "2025-12-13T03:20:25.867Z", "dateUpdated": "2026-04-08T17:15:33.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:33.724Z"}, "affected": [{"vendor": "htplugins", "product": "HT Slider For Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HT Slider for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_title' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping in JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "HT Slider for Elementor <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af580e5a-a9da-4516-b612-b544dc73cf23?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/assets/js/htslider-widgets.js#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/include/addons/htslider_scroll_navigation.php#L1397"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415988%40ht-slider-for-elementor&new=3415988%40ht-slider-for-elementor#file1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-12-08T17:20:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-12T14:55:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:54.795622Z", "id": "CVE-2025-14278", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:49:04.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14278", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:54.795622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:55.831Z"}}], "cna": {"title": "HT Slider for Elementor <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "htplugins", "product": "HT Slider For Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-08T17:20:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-12T14:55:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af580e5a-a9da-4516-b612-b544dc73cf23?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/assets/js/htslider-widgets.js#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/include/addons/htslider_scroll_navigation.php#L1397"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415988%40ht-slider-for-elementor&new=3415988%40ht-slider-for-elementor#file1"}], "descriptions": [{"lang": "en", "value": "The HT Slider for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_title' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping in JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-13T03:20:25.867Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14278", "state": "PUBLISHED", "dateUpdated": "2025-12-15T15:49:04.121Z", "dateReserved": "2025-12-08T17:05:36.951Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T03:20:25.867Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HT Slider for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_title' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping in JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-14278", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:48.147", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/assets/js/htslider-widgets.js#L223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/include/addons/htslider_scroll_navigation.php#L1397"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415988%40ht-slider-for-elementor&new=3415988%40ht-slider-for-elementor#file1"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af580e5a-a9da-4516-b612-b544dc73cf23?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:50:06.054131+00:00", "value": {"mitigation_remediation": ["Upgrade the HT Slider For Elementor plugin to the latest available release that contains the fix for the stored XSS flaw.", "If an immediate upgrade is not possible, revoke Contributor or higher permissions from editing slide titles or temporarily disable the plugin until the fix is applied.", "Deploy an application\u2011level WAF rule to block or sanitize script payloads in the slide_title field as a temporary mitigation."], "summary": {"action": "Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the HT Slider For Elementor plugin installed on any version up to and including 1.7.4. The attack is limited to users with Contributor level access or higher, as they can create or edit slides containing a malicious 'slide_title' value.", "description_and_impact": "The HT Slider For Elementor plugin for WordPress contains a stored cross\u2011site scripting flaw (CWE\u201179). The vulnerability arises from the 'slide_title' field, which is not properly sanitized or escaped when rendered in JavaScript, allowing an attacker to inject arbitrary scripts that execute in the browser of any user who views the affected page. This can be used to deface content, phish credentials, or execute malicious actions within the site context.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity. The EPSS score is below 1%, highlighting that the likelihood of public exploitation today is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access at the Contributor level or higher, so an organization\u2019s least privileged users face the greatest risk if they are compromised. Because the impact occurs on page load for any user, the risk to user sessions and site integrity is significant, though the lack of a widespread exploit and low EPSS suggest that the overall threat is moderate until a patch is applied."}}}}, "created": "2025-12-14T21:15:01.236520+00:00", "updated": "2026-04-21T01:00:12.950821+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "htplugins", "htplugins$PRODUCT$ht_slider_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}