Custom Post Carousels with Owl < 1.4.12 – Contributor+ Stored XSS | CVE 2025-5125 | Plugin Vulnerabilities

Description

The plugin uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.

Proof of Concept

As an admin, browse to /wp-admin/edit.php?post_type=owl-carousel and add a new carousel.

Choose Media as the post type and enable the "Open in Lightbox" option.

As a contributor, create a new post containing this HTML:
```
[dd-owl-carousel id="614"]
<a data-featherlight="&lt;img src=x onerror=&quot;alert()&quot;&gt;" href="#">Click me</a> 
```

(Adjust the ID of the carousel accordingly.)

If another user clicks the link, the JS is executed.

Affects Plugins

dd-post-carousel

Fixed in 1.4.12

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

aaf9e3f8-b312-432d-a635-6fe89ff8d13f

Timeline

Publicly Published

2025-05-30 (about 7 months ago)

Added

2025-05-30 (about 7 months ago)

Last Updated

2025-05-30 (about 7 months ago)

Other

Published

Title

Published

2025-03-02

Title

Nested Pages < 3.2.13 - Contributor+ Stored XSS

Published

2025-03-24

Title

AI Preloader <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-12-31

Title

The Moneytizer <= 10.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS

Published

2024-06-05

Title

MapFig Studio <= 0.2.1 - Stored XSS via CSRF