Description
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The identified flaw allows attacker supplied content to be reflected back to the browser via the PHP_SELF server variable. Because the value is printed without proper sanitization or escaping, an unauthenticated attacker can inject malicious scripts. The consequences may include session hijacking, credential theft, or the delivery of malware when a victim visits a crafted URL that triggers the attack.

Affected Systems

All WordPress installations running the Simple AL Slider plugin up to and including version 1.2.10 are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.1, indicating moderate severity, and an EPSS score of less than 1 %, meaning the probability of exploitation is currently very low. It is not listed in CISA’s KEV catalog. The attack vector is most likely through a crafted link or a malicious URL that references PHP_SELF; no authentication or privilege escalation is required.

Generated by OpenCVE AI on April 20, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin version (any release newer than 1.2.10).
  • If an update is not feasible, disable or remove the Simple AL Slider plugin from the WordPress installation.
  • As a temporary measure, refactor the affected code to replace PHP_SELF with a hard‑coded path or sanitize the value with the WordPress esc_attr() function before output.

Generated by OpenCVE AI on April 20, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Alexdtn
Alexdtn simple Al Slider
Wordpress
Wordpress wordpress
Vendors & Products Alexdtn
Alexdtn simple Al Slider
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Alexdtn Simple Al Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:55.668Z

Reserved: 2025-12-05T17:11:59.718Z

Link: CVE-2025-14137

cve-icon Vulnrichment

Updated: 2025-12-18T20:39:31.660Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:47.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses