CVE-2025-0350 identifies a stored Cross-Site Scripting (XSS) vulnerability in the badhonrocks Carousel Maker for Divi plugin, a popular WordPress plugin used to create image, logo, testimonial, and post carousels. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes in the Image Carousel and Logo Carousel components. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into carousel elements. Because this is a stored XSS, the malicious payload is saved in the WordPress database and executed in the browsers of any users who visit the affected pages, including administrators and site visitors. The vulnerability does not require user interaction beyond visiting the compromised page and does not require elevated privileges beyond contributor access. The CVSS 3.1 score of 6.4 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with a scope change (potentially affecting other users). No patches or fixes have been publicly linked yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The impact of CVE-2025-0350 is significant for organizations using the affected plugin on WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, theft of sensitive data such as cookies or credentials, defacement of website content, or redirection to malicious sites. Because the vulnerability is stored, the malicious code persists and affects all users who access the compromised pages, including administrators, increasing the risk of privilege escalation or further compromise. This can damage organizational reputation, lead to data breaches, and disrupt business operations. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but many WordPress sites grant such access to multiple users, increasing risk. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once the vulnerability is public.

To mitigate CVE-2025-0350, organizations should first check for updates from the plugin vendor and apply any available patches promptly. In the absence of official patches, administrators should restrict contributor-level access to trusted users only and audit existing user roles and permissions. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting carousel parameters can provide temporary protection. Site owners should also sanitize and validate all user inputs related to carousel content manually or via custom code to ensure no executable scripts are stored. Regular security scanning and monitoring for unusual activity or injected scripts in carousel content are recommended. Additionally, educating contributors about safe content practices and monitoring for account compromise can reduce exploitation risk. Finally, consider disabling or replacing the vulnerable plugin with a secure alternative if patching is not feasible.