Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS.

This issue affects Master Slider: from n/a through 3.10.8.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows a DOM-based XSS vulnerability. This flaw enables an attacker to inject malicious JavaScript that will run in the context of a victim’s browser, potentially exposing session cookies, defacing the site or phishing for credentials. The weakness is described by CWE‑79 and has a CVSS moderate score, indicating non‑critical but still noteworthy risk.

Affected Systems

The defect is found in the WordPress Master Slider plugin by Averta. All releases up to and including version 3.10.8 are affected. Site administrators running these versions of the plugin must upgrade to 3.10.9 or later to eliminate the vulnerability.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. EPSS information is not available, which means there is insufficient data on how frequently this exploit is used in the wild. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is client‑side DOM manipulation; an attacker can embed malicious code in a webpage rendered by the plugin, or craft a URL that causes the victim’s browser to execute injected scripts. The exploit is easy to trigger from a remote host and requires only a vulnerable plugin on the target site, suggesting a potentially broad impact if multiple sites remain unpatched.

Generated by OpenCVE AI on May 27, 2026 at 10:35 UTC.

Remediation

Vendor Solution

Update the WordPress Master Slider plugin to the latest available version (at least 3.10.9).

OpenCVE Recommended Actions

  • Update the WordPress Master Slider plugin to version 3.10.9 or newer.
  • If an immediate update is not possible, disable or remove the plugin until the patch can be applied.
  • Sanitize all user‑controlled data and ensure that the plugin’s configuration options do not render unsafe content.

Generated by OpenCVE AI on May 27, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Averta
Averta master Slider
Wordpress
Wordpress wordpress
Vendors & Products Averta
Averta master Slider
Wordpress
Wordpress wordpress

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.10.8.
Title WordPress Master Slider plugin <= 3.10.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Averta Master Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:26:43.137Z

Reserved: 2026-05-26T19:56:06.748Z

Link: CVE-2026-48968

cve-icon Vulnrichment

Updated: 2026-05-27T10:26:37.711Z

cve-icon NVD

Status : Received

Published: 2026-05-27T09:16:32.120

Modified: 2026-05-27T09:16:32.120

Link: CVE-2026-48968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses