The MetaSlider Responsive Slider by MetaSlider plugin contains a Cross‑Site Request Forgery vulnerability that allows an attacker to submit crafted requests to the plugin’s administrative endpoints. Because CSRF protection was missing, a malicious site can cause the verified user to perform undesirable actions, such as modifying slider settings or adding malicious content, without the user’s consent. The impact is limited to changes of configuration or content that could be used for social engineering or defacement.

WordPress installations that employ MetaSlider:Responsive Slider by MetaSlider with a plugin version up to and including 3.92.0 are impacted. All releases from the first deployment through 3.92.0 lack the necessary defensive checks and are therefore considered vulnerable.

With a CVSS score of 5.4, the vulnerability is moderate but still poses a risk to sites where logged‑in administrators or users could be tricked into visiting a malicious page. The EPSS score of less than 1% indicates a very low likelihood of widespread exploitation at present, and the issue is not currently listed in the CISA KEV catalog. Exploitation requires the victim to be authenticated to WordPress and to visit a specially crafted URL or payload from an attacker’s site, after which the attacker's request is forwarded to the plugin’s protected actions.