Stored Cross-Site Scripting Vulnerability in WP Posts Carousel Plugin for WordPress
CVE-2025-1491
6.4MEDIUM
What is CVE-2025-1491?
The WP Posts Carousel plugin for WordPress has a vulnerability in the 'auto_play_timeout' parameter that permits stored Cross-Site Scripting (XSS) attacks. This flaw arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These malicious scripts execute whenever users access the infected pages, posing a significant threat to site integrity and user safety. It is crucial for site administrators to review plugin configurations and apply necessary updates to mitigate this risk.
Affected Version(s)
WP Posts Carousel * <= 1.3.7