CVE-2025-5291 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Master Slider – Responsive Touch Slider plugin for WordPress, affecting all versions up to and including 3.10.8. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's masterslider_pb and ms_slide shortcodes. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79, reflecting improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability impacts the confidentiality and integrity of affected systems but does not affect availability. Given the plugin's widespread use in WordPress environments, especially in content management scenarios involving multiple contributors, this vulnerability poses a significant risk if left unmitigated.

The primary impact of CVE-2025-5291 is the potential for attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, session tokens, or other sensitive information, enabling further compromise of user accounts or site administration. The vulnerability compromises confidentiality and integrity but does not directly impact availability. Organizations relying on WordPress sites with collaborative content creation are at risk of internal threat actors or compromised contributor accounts exploiting this flaw. The scope of affected systems is broad due to the popularity of the Master Slider plugin in WordPress installations worldwide. Exploitation requires authenticated access, which limits exposure to external unauthenticated attackers but elevates risk from insider threats or compromised contributor credentials. If exploited at scale, attackers could conduct widespread phishing, defacement, or lateral movement within the affected web environments.

1. Immediately restrict contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. 2. Monitor all usage of the masterslider_pb and ms_slide shortcodes in site content for unexpected or suspicious scripts or attributes. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting these shortcodes. 4. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly update the Master Slider plugin to the latest version once a patch addressing this vulnerability is released by the vendor. 6. Educate content contributors about the risks of injecting untrusted content and enforce input validation policies. 7. Conduct periodic security audits and code reviews of custom shortcode usage and plugin configurations. 8. Consider temporarily disabling the vulnerable shortcodes if immediate patching is not possible to prevent exploitation.