Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier visual-slider allows Reflected XSS.This issue affects visualslider Sldier: from n/a through <= 1.1.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input that allows reflected XSS in the visualslider Sldier plugin. When an attacker crafts a URL containing malicious JavaScript, that script is reflected back in the web page and executed in the victim’s browser. This can enable session hijacking, credential theft, or defacement of the site. The flaw is a classic injection weakness identified as CWE‑79.

Affected Systems

The flaw affects the WordPress plugin visualslider Sldier by the vendor dastan800. All released versions from the original build through version 1.1.1 are vulnerable; any installation of the plugin with a version identifier of 1.1.1 or earlier is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity for exploitation. The EPSS score of less than 1 % suggests that, while the probability of automated exploitation currently is low, the vulnerability remains present and could be leveraged via manual attacks. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request to a public page served by the plugin, where the input is reflected without proper output encoding.

Generated by OpenCVE AI on May 1, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the visualslider Sldier plugin to the latest released version that removes the XSS flaw.
  • If an upgrade is not immediately available, modify the plugin’s output generation code to escape all user‑supplied data using safe rendering functions before sending responses to the browser.
  • Implement a web application firewall rule or access restriction that blocks direct access to the plugin’s data input endpoints until a proper patch is deployed.

Generated by OpenCVE AI on May 1, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11589 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier allows Reflected XSS. This issue affects visualslider Sldier: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier allows Reflected XSS. This issue affects visualslider Sldier: from n/a through 1.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier visual-slider allows Reflected XSS.This issue affects visualslider Sldier: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier allows Reflected XSS. This issue affects visualslider Sldier: from n/a through 1.1.1.
Title WordPress visualslider Sldier plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:09.177Z

Reserved: 2025-01-16T11:24:48.263Z

Link: CVE-2025-23448

cve-icon Vulnrichment

Updated: 2025-04-17T17:42:45.835Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:30.357

Modified: 2026-06-17T08:54:27.073

Link: CVE-2025-23448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')