{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5337", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-29T18:45:27.758Z", "datePublished": "2025-06-14T09:23:33.099Z", "dateUpdated": "2026-04-08T16:35:27.791Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:27.791Z"}, "affected": [{"vendor": "metaslider", "product": "Slider, Gallery, and Carousel by MetaSlider \u2013 Image Slider, Video Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.98.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018aria-label\u2019 parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e6492e5-a506-4d77-96d2-08f700b6ee76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ml-slider/tags/3.98.0/assets/metaslider/script.js#L11"}, {"url": "https://wordpress.org/plugins/ml-slider/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3309932/ml-slider/tags/3.99.0/assets/metaslider/script.js"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-06-13T21:11:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:45:52.650873Z", "id": "CVE-2025-5337", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:38:34.447Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5337", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T16:45:52.650873Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T16:47:07.320Z"}}], "cna": {"title": "Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "metaslider", "product": "Slider, Gallery, and Carousel by MetaSlider \u2013 Image Slider, Video Slider", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.98.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-13T21:11:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e6492e5-a506-4d77-96d2-08f700b6ee76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ml-slider/tags/3.98.0/assets/metaslider/script.js#L11"}, {"url": "https://wordpress.org/plugins/ml-slider/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3309932/ml-slider/tags/3.99.0/assets/metaslider/script.js"}], "descriptions": [{"lang": "en", "value": "The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018aria-label\u2019 parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:27.791Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5337", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:27.791Z", "dateReserved": "2025-05-29T18:45:27.758Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-14T09:23:33.099Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metaslider:slider\\,_gallery\\,_and_carousel:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B1A59C9B-DCAC-45E8-993F-3C8836864E24", "versionEndExcluding": "3.99.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018aria-label\u2019 parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Slider, Gallery y Carousel de MetaSlider para WordPress es vulnerable a cross-site-scripting almacenado a trav\u00e9s del par\u00e1metro 'aria-label' en todas las versiones hasta la 3.98.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5337", "lastModified": "2025-07-09T19:22:40.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-14T10:15:20.153", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ml-slider/tags/3.98.0/assets/metaslider/script.js#L11"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3309932/ml-slider/tags/3.99.0/assets/metaslider/script.js"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/ml-slider/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e6492e5-a506-4d77-96d2-08f700b6ee76?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:49:19.408697+00:00", "value": {"mitigation_remediation": ["Update MetaSlider to version 3.99.0 or later where the aria\u2011label sanitization issue has been fixed.", "If an immediate update cannot be performed, restrict Contributor or higher roles from editing slides or disable the slide editing capability using a roles\u2011and\u2011capabilities plugin.", "Apply a site\u2011wide Content Security Policy that disallows execution of inline scripts or scripts from untrusted origins to mitigate the impact of any stored script.", "As a temporary workaround, remove or override the aria\u2011label attribute from the slider markup using a custom filter or additional plugin if the vendor provides such a setting."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via the aria\u2011label parameter"}, "threat_synthesis": {"affected_systems": "All WordPress sites running MetaSlider versions up to and including 3.98.0 are affected. The vulnerability targets the plugin component \"Slider, Gallery, and Carousel by MetaSlider \u2013 Image Slider, Video Slider\" and its associated WordPress integration. No specific OS or PHP version constraints are listed in the CVE data.", "description_and_impact": "The MetaSlider \"Slider, Gallery, and Carousel\" plugin for WordPress is vulnerable because the aria\u2011label field is stored without proper sanitization or escaping. An authenticated user with Contributor or higher permissions can inject arbitrary JavaScript into the field. The injected script is stored in the database and rendered on every page that displays the affected slide, allowing the attacker to run code in the browsers of all visitors who view the injected page, potentially compromising user accounts and data. This is a classic stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "With a CVSS score of 6.4 the flaw is considered moderate in severity. The EPSS score of less than 1% indicates a low exploit probability at the time of analysis. It is not listed in the CISA KEV catalog. The likely exploit path requires an authenticated Contributor or higher to access the slide editing interface, inject a malicious payload into the aria\u2011label field, and then wait for any site visitor to load the page containing the stored script. Due to the need for authenticated access, the threat is limited to sites where the attacker can gain or already possesses such privileges. "}}}}, "created": "2026-04-22T15:00:05.611404+00:00", "updated": "2026-04-22T15:00:05.611419+00:00", "vendors": []}