Logo Slider < 4.9.0 – Contributor+ Stored XSS | CVE 2025-13153 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1) Log in to WordPress as a contributor.
2) In the admin dashboard, click the Logo Slider tab -> Shortcode Generator -> Add New Slider button up top.
3) Put "Test" as the name for the slider. Click on the Carousel tab and scroll down to Navigation Settings.
4) Click on the Nav Color color picker and paste the XSS payload: " autofocus onfocus="alert(document.cookie)
5) Click "Submit for Review" on the top right in the panel.
6) JavaScript alert should immediately trigger.

Other vulnerable Carousel fields with the same payload:
- Nav hover color
- Background color
- Background hover color
- Border color
- Border hover color
- Pagination color
- Active color

Affects Plugins

Fixed in 4.9.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Tselevich (nos3curity)

Submitter

Alex Tselevich (nos3curity)

Submitter website

https://nosecurity.blog

Submitter twitter

Verified

Yes

WPVDB ID

0ed67947-228d-420c-8d28-e0d7326eb101

Timeline

Publicly Published

2025-12-12 (about 21 days ago)

Added

2025-12-12 (about 20 days ago)

Last Updated

2025-12-12 (about 20 days ago)

Other

Published

Title

Published

2024-11-22

Title

Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net < 1.113.0 - Reflected Cross-Site Scripting

Published

2021-06-10

Title

Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS)

Published

2014-08-01

Title

WP Forum Server <= 1.7.3 - fs-admin/wpf-add-forum.php groupid Parameter XSS

Published

2021-03-17

Title

Elementor < 3.1.4 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget

Published

2024-06-28

Title

Cards for Beaver Builder < 1.1.5 - Authenticated (Editor+) Stored Cross-Site Scripting