Meta Slider is one of the most popular WordPress plugins used to create responsive image sliders. It offers flexibility and customization options to enhance the visual appeal of websites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1062) has been discovered in the plugin. This vulnerability allows attackers with editor privileges to inject malicious JavaScript into the plugin’s slider settings. By exploiting this flaw, an attacker can gain unauthorized access to a WordPress site, potentially compromising it completely. The vulnerability affects versions with over 600k installs, making it a widespread security risk for many WordPress-powered websites.
| CVE | CVE-2025-1062 |
| Plugin | Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider |
| Critical | High |
| All Time | 30 303 312 |
| Active installations | 600 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1062 https://wpscan.com/vulnerability/657b355b-e38f-46d6-b574-7ce736d25f31/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 14, 2025 | Plugin testing and vulnerability detection in the Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider have been completed |
| January 14, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2025-1062 |
Discovery of the Vulnerability
CVE-2025-1062 was uncovered during a security audit of the Meta Slider plugin. The flaw exists in the plugin’s slider creation functionality, specifically within the “Background” field under the “Theme” section when adding a new slide. The vulnerability arises from the plugin’s failure to sanitize user input in this field, allowing users to inject arbitrary HTML and JavaScript. The injected script is stored in the database and is executed whenever the slider is rendered on the frontend. This lack of input sanitization makes it possible for an attacker to execute malicious JavaScript code in the context of any user interacting with the page, leading to potential security breaches.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when a web application allows attackers to inject malicious scripts into web pages that are viewed by other users. In WordPress, this type of vulnerability is most often found in plugins and themes that fail to properly sanitize and validate user inputs. XSS attacks can have devastating consequences, including session hijacking, defacing websites, stealing user credentials, or spreading malware. A real-world example of a similar vulnerability is CVE-2020-2559 in the WPForms plugin, where XSS was allowed in form fields, enabling attackers to inject malicious scripts into submitted data, thus compromising the site. CVE-2025-1062 in Meta Slider follows a similar pattern, allowing JavaScript injection through a misconfigured field, with far-reaching security implications.
Exploiting the XSS Vulnerability
To exploit CVE-2025-1062, an attacker with Editor+ privileges:
POC:
1) Create a new Slider 2) Click on "Add Slide" 3) Change "Background" field in "theme" section to 123"</style><img src=x onerror=alert(1)> 4) To trigger XSS you should create a new Post and put here shortcode of new Slider____
The risks associated with CVE-2025-1062 are significant, particularly for websites that use Meta Slider to display content. If an attacker successfully exploits this vulnerability, they could take control of the site by injecting malicious scripts that execute in the context of other users’ browsers.
Recommendations for Improved Security
Administrators using Meta Slider should immediately update the plugin to the latest patched version as soon as one becomes available. Until then, it is advisable to restrict access to the slider creation interface and monitor any unauthorized changes to slider configurations. Developers must enforce strict input validation and output escaping practices, especially in fields that render user input into HTML or JavaScript. Employing functions like esc_attr(), wp_kses(), and sanitize_text_field() can mitigate these threats. Site owners should also consider deploying a Web Application Firewall (WAF) and regularly scanning their sites for XSS and other injection flaws. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1062, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.