CVE-2025-4567 – Post Slider and Carousel with Widget < 3.2.10 – Stored XSS to JS Backdoor Creation – POC

Vulnerability was discovered in the widely-used WordPress plugin Post Slider and Carousel with Widget, which allows site owners to display posts in sliders or carousels. This plugin is favored for its ease of use and flexibility, especially for non-technical users.

The vulnerability, now identified as CVE-2025-4567, affects plugin versions below 3.2.10 and allows an authenticated user (with access to widget settings) to inject stored JavaScript code into a field that is later rendered on the front-end — leading to persistent Cross-Site Scripting (XSS) and the potential creation of a JavaScript backdoor.

CVE	CVE-2025-4567
Plugin	Post Slider and Carousel with Widget < 3.2.10
Critical	High
All Time	242 690
Active installations	10 000+
Publicly Published	May 14, 2025
Last Updated	May 14, 2025
Researcher	Artyom Krugov
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4567 https://wpscan.com/vulnerability/b8a50ae9-40c4-42f8-9342-2440d3bc12bb/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

Discovery of the Vulnerability

The vulnerability was discovered during a manual security audit of the plugin’s widget system. While testing various input fields for validation issues, the Query Offset input in the PSAC - Post Vertical Slider Widget was found to be improperly sanitized. This allowed HTML/JavaScript code to be saved and rendered unescaped.

Vulnerable field:

Field: Query Offset

Widget: PSAC - Post Vertical Slider Widget

Understanding of XSS attack’s

Stored XSS (Cross-Site Scripting) occurs when a web application stores user-supplied input that is later rendered as executable JavaScript/HTML in the browser of another user. Unlike Reflected XSS, which is immediate and usually tied to a specific URL, Stored XSS persists on the server and is triggered each time a page loads.

In WordPress, common targets for Stored XSS include:

• Post titles or content
• Custom fields
• Plugin settings
• User profiles
• Widgets

Real-world examples include:

• A Contributor injecting <script>alert(document.cookie)</script> into a post title, affecting admin users.
• A malicious payload embedded in a plugin’s configuration panel that executes every time an administrator opens it.

Exploiting the XSS Vulnerability

To exploit the vulnerability, follow these steps:

POC:

1) Log in as an Administrator or trick an admin into pasting the payload.
2) Navigate to Appearance → Widgets.
3) Select PSAC - Post Vertical Slider Widget.
4) In the Query Offset field, insert the payload:
123123" onmouseover="alert(777)
6) Save the widget.
7) Visit the page where the widget is rendered.

____

Recommendations for Improved Security

If you are using the Post Slider and Carousel with Widget plugin, take the following steps immediately:

✅ Immediate Mitigation

• Update the plugin to version 3.2.10 or higher, where the vulnerability is patched.
• Sanitize all widget fields before saving, especially any numeric or text inputs.
• Enable Content Security Policy (CSP) headers to restrict script execution.
• Use a Web Application Firewall (WAF) to detect and block malicious behavior.

✅ Long-Term Recommendations

• Regularly audit installed plugins for known CVEs.
• Limit plugin and widget editing capabilities to trusted users.
• Monitor site activity for unexpected admin actions or script execution.
• Backup your site regularly and verify the integrity of plugin code.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-4567, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.