Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Logo Carousel Slider logo-carousel-slider allows Stored XSS.This issue affects Logo Carousel Slider: from n/a through <= 2.1.3.
Published: 2025-04-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wpWax Logo Carousel Slider plugin contains a stored cross‑site scripting flaw. Unsanitized input is saved and subsequently rendered as part of the slider’s output, permitting an attacker to inject malicious scripts that execute within the browsers of users who view the affected content. This improper neutralization of input can lead to client‑side code execution for any visitor.

Affected Systems

WordPress sites running the wpWax Logo Carousel Slider plugin through version 2.1.3 are affected. The vendor is wpWax and the product is Logo Carousel Slider. The affected build range is n/a through <= 2.1.3 as indicated by the CNA.

Risk and Exploitability

CVSS score 6.5 indicates moderate severity. EPSS < 1% reflects a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker with administrative access to the plugin’s interface or the ability to submit content that is stored and later displayed, enabling the stored XSS payload to be delivered to site visitors.

Generated by OpenCVE AI on May 2, 2026 at 02:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Logo Carousel Slider plugin to a version that contains the XSS fix; if a patched release is unavailable, remove or deactivate the plugin until an update is released.
  • Review and delete any slider content that contains suspicious or unexpected script code to eliminate existing stored payloads.
  • Apply a content filtering layer that sanitizes or escapes output from the plugin until a proper fix is in place.
  • Run a site‑wide XSS vulnerability scan to ensure no other injected content remains.

Generated by OpenCVE AI on May 2, 2026 at 02:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11331 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Logo Carousel Slider allows Stored XSS. This issue affects Logo Carousel Slider: from n/a through 2.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Logo Carousel Slider allows Stored XSS. This issue affects Logo Carousel Slider: from n/a through 2.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Logo Carousel Slider logo-carousel-slider allows Stored XSS.This issue affects Logo Carousel Slider: from n/a through <= 2.1.3.
Title WordPress Logo Carousel Slider <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability WordPress Logo Carousel Slider plugin <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Logo Carousel Slider allows Stored XSS. This issue affects Logo Carousel Slider: from n/a through 2.1.3.
Title WordPress Logo Carousel Slider <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:34.073Z

Reserved: 2025-04-16T06:24:32.684Z

Link: CVE-2025-39525

cve-icon Vulnrichment

Updated: 2025-04-16T13:16:00.979Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:45.893

Modified: 2026-04-23T15:29:43.670

Link: CVE-2025-39525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses