Description
The Advanced Reorder Image Text Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'reorder-simple-image-text-slider-setting' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-05-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Apply Patch
AI Analysis

Impact

The Advanced Reorder Image Text Slider plugin for WordPress contains a Cross‑Site Request Forgery flaw that allows an unauthenticated attacker to modify the plugin’s settings. Because the plugin fails to validate a nonce when loading the configuration page, a forged request can inject arbitrary JavaScript into the stored settings. Once stored, the malicious script runs under the context of the site whenever the plugin displays its content, giving attackers the ability to deface pages, steal user data, or install malware on visitors. This vulnerability is classified as CWE‑352 and results in a moderate severity score of 6.1 on the CVSS scale.

Affected Systems

WordPress sites that use the Advanced Reorder Image Text Slider plugin version 1.0 or earlier are affected. The plugin is maintained by balasahebbhise and is commonly installed through the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate threat, and the EPSS score of less than 1% shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to lure an administrator who is logged in to the site into clicking a malicious link or visiting a compromised page that submits a forged request. If successful, the attacker gains persistent cross‑site scripting capabilities that affect all site users. Because the flaw is unauthenticated but requires administrative interaction, the risk is constrained, but the impact on confidentiality, integrity, and availability of site content can be significant.

Generated by OpenCVE AI on April 21, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Reorder Image Text Slider plugin to the latest version, ensuring the nonce validation on the settings page is present.
  • If an upgrade is unavailable, disable or remove the plugin until a patch is released.
  • Educate site administrators to avoid clicking unknown links while logged into WordPress and consider implementing a site‑wide CSRF protection plugin to mitigate similar future issues.

Generated by OpenCVE AI on April 21, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13314 The Advanced Reorder Image Text Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'reorder-simple-image-text-slider-setting' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 05 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 03 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Advanced Reorder Image Text Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'reorder-simple-image-text-slider-setting' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Advanced Reorder Image Text Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:14.743Z

Reserved: 2025-05-01T12:57:13.299Z

Link: CVE-2025-4188

cve-icon Vulnrichment

Updated: 2025-05-05T14:40:47.472Z

cve-icon NVD

Status : Deferred

Published: 2025-05-03T03:15:28.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses