Login Sign Up

CVE-2025-58025

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in the Master Slider WordPress plugin allows attackers to inject malicious scripts into web pages. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Master Slider versions up to 3.11.0 are affected.

💻 Affected Systems

Products:
  • Master Slider WordPress Plugin
Versions: All versions up to and including 3.11.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations using vulnerable Master Slider versions are affected regardless of configuration.

📦 What is this software?

Master Slider by Averta

View all CVEs affecting Master Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially compromising user accounts.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to inject malicious content into the plugin's input fields, which typically requires some level of access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.11.0

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/master-slider/vulnerability/wordpress-master-slider-plugin-3-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Master Slider and click 'Update Now'. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Master Slider Plugin

WordPress

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate master-slider

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Use web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Master Slider version

Check Version:

wp plugin get master-slider --field=version

Verify Fix Applied:

Verify Master Slider version is greater than 3.11.0 in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to Master Slider endpoints
  • Suspicious JavaScript in plugin-related database entries

Network Indicators:

  • Malicious script tags in HTTP responses from Master Slider pages

SIEM Query:

source="wordpress" AND (plugin="master-slider" OR uri="/wp-content/plugins/master-slider/") AND (method="POST" OR status=200)

📊 Metadata

CVE ID: CVE-2025-58025
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.05% exploit probability (16.2th percentile)
Published: September 22, 2025
Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58025, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)