Meta Slider is a widely used WordPress plugin that helps users create image sliders, carousels, and other content displays. With over 600,000 installations, the plugin is a popular choice among developers and website owners for its ease of use and flexibility. However, a serious security flaw—CVE-2025-1203—has been discovered in Meta Slider, which allows malicious users to inject and execute JavaScript through a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables attackers to potentially create backdoors on WordPress sites, leading to full administrative control of the site.
CVE | CVE-2025-1203 |
Plugin | Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider |
Critical | High |
All Time | 30 303 312 |
Active installations | 600 000+ |
Publicly Published | March 11, 2025 |
Last Updated | March 11, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1203 https://wpscan.com/vulnerability/fca0b129-3299-46d6-9231-ca5afd2fdb66/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
February 7, 2025 | Plugin testing and vulnerability detection in the Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider have been completed |
February 7, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
March 11, 2025 | Registered CVE-2025-1203 |
Discovery of the Vulnerability
The vulnerability was identified in the Meta Slider plugin during a routine security audit. Specifically, the issue lies in the way user inputs are handled in the “Title” field of the plugin. This field is used to provide a title for each slide, but the input is not adequately sanitized or validated before being displayed. As a result, an attacker can inject arbitrary JavaScript into this field. The injected script is then executed when the slider shortcode is used in a post or page, posing a significant security risk.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when a web application allows users to insert malicious scripts into content that will later be executed by other users’ browsers. In WordPress, this type of attack can lead to a variety of malicious actions, including session hijacking, defacement, and even site-wide backdoor access. A notable real-world example is the XSS vulnerability in the WPForms plugin, which allowed attackers to execute scripts in forms and subsequently gain unauthorized access to sensitive site data. In the case of Meta Slider, the malicious script injected into the “Title” field can be triggered whenever an admin or editor views the slider on a page or post, leading to potential account takeover or backdoor creation.
Exploiting the XSS Vulnerability
To exploit CVE-2025-1203, an attacker with Editor+ privileges:
POC:
1) Create a new Slider 2) Change "Title" field to <img src=x onerror=alert(1)> 3) To trigger XSS you should create a new Post and put here shortcode of new Slider
____
The potential risks associated with CVE-2025-1203 are significant, especially for sites that rely on Meta Slider for displaying content. In a real-world scenario, an attacker could use this vulnerability to gain full control over a WordPress site by executing a JavaScript payload that creates a new admin user or changes the site’s settings. Once the attacker gains admin access, they could install malicious plugins, modify or delete content, or use the compromised site for further attacks, including spreading malware or phishing campaigns. The impact of this vulnerability could be devastating for e-commerce websites, blogs, or corporate sites, as it gives attackers the ability to execute arbitrary code on the server, escalate privileges, and potentially steal sensitive user data.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2025-1203, it is crucial that website administrators immediately update the Meta Slider plugin to the latest version once a patch is released. Additionally, users should restrict the ability to edit slider settings to trusted roles, ensuring that only users with administrator privileges can modify the “Title” field and other critical settings. Plugin developers should implement proper input sanitization for all user-supplied data, especially when such data is rendered into HTML or JavaScript contexts. Functions such as esc_attr()
, wp_kses()
, and sanitize_text_field()
should be used to prevent the injection of malicious code. Finally, site owners should consider using a Web Application Firewall (WAF) to detect and block XSS attacks in real time and regularly audit their WordPress plugins for vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1203, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.