Description
The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Soundslides WordPress plugin has a stored XSS flaw that allows an authenticated user with Contributor or higher privileges to insert malicious JavaScript into shortcode attributes. Because the plugin does not properly sanitize or escape user‑supplied data, the payload is written to the database and rendered unescaped in the generated page, enabling arbitrary script execution in a visitor’s browser. An attacker can deface content, steal session cookies, or perform other client‑side attacks on all users who view the affected page; the weakness is a classic input validation flaw (CWE‑79).

Affected Systems

All installations of Soundslides version 1.4.2 or earlier are vulnerable. WordPress sites using the 'soundslides' shortcode in posts, pages, or widgets are at risk, regardless of the overall WordPress or plugin settings. The vulnerability applies to any contributor‑level user who can add or edit content containing the shortcode. The vendor list identifies the product as wpoets:Soundslides; no additional version ranges are specified beyond 1.4.2.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of <1% suggests a low probability of exploitation in the wild. The flaw is not listed in CISA KEV, but its low exploitation likelihood does not negate the fact that any site granting Contributor access could be abused. Because authentication is the only prerequisite and the injection is stored, an attacker can launch the payload with minimal effort once authenticated, and all visitors to the affected pages will be impacted.

Generated by OpenCVE AI on April 21, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Soundslides plugin to version 1.4.3 or later, which implements proper input sanitization and output escaping for shortcode attributes.
  • If upgrading cannot be performed immediately, delete or sanitize all existing instances of the soundslides shortcode that contain user‑supplied attributes, or disable the shortcode functionality by editing the plugin’s registration code.
  • Restrict Contributor role permissions to prevent users from adding or editing shortcodes, or remove contributor access from untrusted users until the plugin can be updated.

Generated by OpenCVE AI on April 21, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Soundslides <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundslides Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:15.917Z

Reserved: 2025-11-04T19:42:37.074Z

Link: CVE-2025-12713

cve-icon Vulnrichment

Updated: 2025-11-28T14:39:35.745Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T03:15:58.293

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses