CVE-2025-5337 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Slider, Gallery, and Carousel by MetaSlider plugin for WordPress, versions up to and including 3.98.0. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'aria-label' parameter. This parameter is insufficiently sanitized and escaped, allowing an attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability requires no user interaction beyond visiting the infected page, and the attacker must have authenticated access with at least Contributor permissions, which is a relatively low privilege level in WordPress. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The vulnerability is categorized under CWE-79, indicating improper input sanitization during web page generation. No official patches have been linked yet, so mitigation relies on access control and monitoring. Given the widespread use of WordPress and the popularity of MetaSlider as a plugin for image and video sliders, this vulnerability poses a significant risk to websites using this plugin, especially those allowing multiple contributors to publish content.

For European organizations, this vulnerability can lead to unauthorized script execution within the context of vulnerable websites, potentially compromising user sessions, stealing sensitive data, or defacing websites. Organizations relying on WordPress sites with MetaSlider installed and allowing contributor-level access to multiple users are at heightened risk. This can affect e-commerce platforms, government portals, educational institutions, and media companies that use WordPress for content management. The compromise of user credentials or session tokens via XSS can lead to further internal breaches or data leakage. Additionally, the injected scripts could be used to deliver malware or redirect users to phishing sites, impacting brand reputation and regulatory compliance under GDPR. The scope of impact is amplified by the plugin’s popularity and the common practice of delegating contributor access to multiple users in collaborative environments. Since the vulnerability does not require user interaction beyond page visit, automated exploitation or worm-like propagation within an organization’s intranet is possible if internal WordPress sites are affected.

1. Immediately restrict Contributor-level and higher access to trusted users only until a patch is available. 2. Implement strict input validation and output encoding on the 'aria-label' parameter if custom code or filters are used. 3. Monitor WordPress sites for unusual script injections or unexpected changes in slider content. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'aria-label' parameter. 5. Regularly audit user roles and permissions to minimize the number of users with contributor or higher privileges. 6. Disable or remove the MetaSlider plugin temporarily if feasible until an official patch is released. 7. Educate content contributors about the risks of uploading or embedding untrusted content. 8. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 9. Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patching. 10. Conduct penetration testing focused on stored XSS vectors in the affected plugin components.