Description
The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-03-18
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary shortcode execution
Action: Patch Immediately
AI Analysis

Impact

The Logo Slider WordPress plugin versions up to 3.7.3 contain a flaw where an unchecked value is passed to WordPress do_shortcode, permitting any attacker to inject and run arbitrary shortcodes without authentication. Since shortcodes can execute PHP code, this weakness enables remote code execution, data exfiltration, or other malicious actions. The issue stems from a lack of proper authorization checks and is classified as CWE‑862.

Affected Systems

WordPress sites that have the Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin version 3.7.3 or earlier installed are affected. The vendor responsible is listed under samdani at the plugin's repository. Installing any release newer than 3.7.3 removes the vulnerability.

Risk and Exploitability

The CVSS score of 7.3 places the vulnerability in the high severity category. Its EPSS score is below 1 %, indicating that exploitation is unlikely in the general WordPress ecosystem at present, and it is not listed in the CISA KEV catalog. However, because the flaw does not require authentication, an attacker can exploit the vulnerability by injecting malicious shortcodes into public-facing content such as posts or comments, making the attack path straightforward once the exploit is discovered.

Generated by OpenCVE AI on April 21, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official plugin release, version 3.7.4 or newer, which removes the unchecked shortcode execution path.
  • If an immediate upgrade is not feasible, disable or uninstall the Logo Slider plugin until a patched version is available.
  • Review the site’s content creation permissions and enforce a whitelist or sanitization process for shortcodes to mitigate accidental or malicious execution.

Generated by OpenCVE AI on April 21, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6470 The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Tue, 18 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Logo Slider <= 3.7.3 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:26.748Z

Reserved: 2025-03-12T17:52:40.549Z

Link: CVE-2025-2262

cve-icon Vulnrichment

Updated: 2025-03-18T14:00:17.164Z

cve-icon NVD

Status : Deferred

Published: 2025-03-18T07:15:33.907

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses