Meta Slider is a widely used WordPress plugin that helps users create image sliders, carousels, and other content displays. With over 600,000 installations, the plugin is a popular choice among developers and website owners for its ease of use and flexibility. However, a serious security flaw—CVE-2025-1203—has been discovered in Meta Slider, which allows malicious users to inject and execute JavaScript through a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables attackers to potentially create backdoors on WordPress sites, leading to full administrative control of the site.

CVECVE-2025-1203
PluginSlider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
CriticalHigh
All Time30 303 312
Active installations600 000+
Publicly PublishedMarch 11, 2025
Last UpdatedMarch 11, 2025
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1203
https://wpscan.com/vulnerability/fca0b129-3299-46d6-9231-ca5afd2fdb66/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

February 7, 2025Plugin testing and vulnerability detection in the Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider have been completed
February 7, 2025I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 11, 2025Registered CVE-2025-1203

Discovery of the Vulnerability

The vulnerability was identified in the Meta Slider plugin during a routine security audit. Specifically, the issue lies in the way user inputs are handled in the “Title” field of the plugin. This field is used to provide a title for each slide, but the input is not adequately sanitized or validated before being displayed. As a result, an attacker can inject arbitrary JavaScript into this field. The injected script is then executed when the slider shortcode is used in a post or page, posing a significant security risk.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities occur when a web application allows users to insert malicious scripts into content that will later be executed by other users’ browsers. In WordPress, this type of attack can lead to a variety of malicious actions, including session hijacking, defacement, and even site-wide backdoor access. A notable real-world example is the XSS vulnerability in the WPForms plugin, which allowed attackers to execute scripts in forms and subsequently gain unauthorized access to sensitive site data. In the case of Meta Slider, the malicious script injected into the “Title” field can be triggered whenever an admin or editor views the slider on a page or post, leading to potential account takeover or backdoor creation.

Exploiting the XSS Vulnerability

To exploit CVE-2025-1203, an attacker with Editor+ privileges:

POC:

1) Create a new Slider
2) Change "Title" field to <img src=x onerror=alert(1)>
3) To trigger XSS you should create a new Post and put here shortcode of new Slider

____

The potential risks associated with CVE-2025-1203 are significant, especially for sites that rely on Meta Slider for displaying content. In a real-world scenario, an attacker could use this vulnerability to gain full control over a WordPress site by executing a JavaScript payload that creates a new admin user or changes the site’s settings. Once the attacker gains admin access, they could install malicious plugins, modify or delete content, or use the compromised site for further attacks, including spreading malware or phishing campaigns. The impact of this vulnerability could be devastating for e-commerce websites, blogs, or corporate sites, as it gives attackers the ability to execute arbitrary code on the server, escalate privileges, and potentially steal sensitive user data.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2025-1203, it is crucial that website administrators immediately update the Meta Slider plugin to the latest version once a patch is released. Additionally, users should restrict the ability to edit slider settings to trusted roles, ensuring that only users with administrator privileges can modify the “Title” field and other critical settings. Plugin developers should implement proper input sanitization for all user-supplied data, especially when such data is rendered into HTML or JavaScript contexts. Functions such as esc_attr()wp_kses(), and sanitize_text_field() should be used to prevent the injection of malicious code. Finally, site owners should consider using a Web Application Firewall (WAF) to detect and block XSS attacks in real time and regularly audit their WordPress plugins for vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1203, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2025-1203 – Meta Slider – Stored XSS to Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *