CVE-2025-5291 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Master Slider – Responsive Touch Slider WordPress plugin developed by averta. This vulnerability exists in all versions up to and including 3.10.8. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's masterslider_pb and ms_slide shortcodes. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via these shortcodes. Because the malicious script is stored persistently in the WordPress database, it executes whenever any user accesses the compromised page, potentially affecting site administrators, editors, and visitors. The vulnerability does not require user interaction beyond page access and has a CVSS v3.1 base score of 6.4 (medium severity), reflecting network attack vector, low attack complexity, and privileges required (low-level authenticated user). The scope is changed (S:C) due to the possibility of impacting other users' sessions or data. The impact includes limited confidentiality and integrity loss, as the injected script could steal cookies, session tokens, or perform actions on behalf of users, but does not affect availability. No known exploits in the wild have been reported yet. This vulnerability is a classic example of CWE-79, where improper neutralization of input during web page generation leads to persistent XSS. Given the widespread use of WordPress and the popularity of the Master Slider plugin for responsive touch sliders on websites, this vulnerability poses a significant risk to affected sites if left unpatched or mitigated.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information such as authentication cookies or personal data, enabling session hijacking or privilege escalation within the affected WordPress site. Attackers could leverage this to impersonate users with higher privileges, modify content, or conduct phishing attacks by injecting malicious scripts that alter page content or redirect users. Organizations relying on WordPress sites for customer engagement, e-commerce, or internal portals may suffer reputational damage, data breaches, and compliance violations under GDPR if personal data is compromised. Since the exploit requires contributor-level access, insider threats or compromised low-privilege accounts are the primary risk vectors. The persistent nature of stored XSS increases the attack surface, as any visitor to the infected page can be affected. This could also facilitate lateral movement within an organization's web infrastructure if administrative users are targeted. The medium CVSS score reflects moderate impact, but the real-world consequences depend on the site's user base and security posture. European entities with public-facing WordPress sites using this plugin are particularly at risk.

1. Immediate mitigation involves updating the Master Slider plugin to a version where this vulnerability is patched once released by averta. Until then, consider disabling or removing the plugin if feasible. 2. Restrict contributor-level and higher permissions strictly to trusted users; review and audit user roles to minimize the risk of malicious or accidental exploitation. 3. Implement Web Application Firewall (WAF) rules that detect and block suspicious shortcode parameters or script tags in POST requests targeting the masterslider_pb and ms_slide shortcodes. 4. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and only allow trusted sources, mitigating impact of injected scripts. 5. Conduct regular security scans and monitoring for anomalous content injections or unexpected shortcode usage on WordPress sites. 6. Educate site administrators and content contributors about the risks of XSS and safe content practices. 7. Harden WordPress installations by disabling unnecessary plugins and enforcing strong authentication mechanisms such as MFA to reduce risk of account compromise. 8. Backup site data regularly to enable quick restoration in case of compromise.