Stored Cross-Site Scripting Vulnerability in WP Posts Carousel Plugin for WordPress
CVE-2025-1491
6.4MEDIUM
Key Information:
- Vendor
- Teastudiopl
- Status
- WP Posts Carousel
- Vendor
- CVE Published:
- 1 March 2025
Summary
The WP Posts Carousel plugin for WordPress has a vulnerability in the 'auto_play_timeout' parameter that permits stored Cross-Site Scripting (XSS) attacks. This flaw arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These malicious scripts execute whenever users access the infected pages, posing a significant threat to site integrity and user safety. It is crucial for site administrators to review plugin configurations and apply necessary updates to mitigate this risk.
Affected Version(s)
WP Posts Carousel * <= 1.3.7
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Krzysztof Zając