CVE-2025-5337 identifies a stored Cross-Site Scripting vulnerability in the Slider, Gallery, and Carousel by MetaSlider plugin for WordPress, versions up to and including 3.98.0. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'aria-label' parameter. This parameter is used in accessibility attributes but is not properly validated, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. When other users visit pages containing the injected payload, the malicious script executes in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim’s session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin increases the risk of future exploitation. The issue highlights the importance of secure coding practices around user input, especially in plugins that affect front-end content and accessibility features.

The impact of CVE-2025-5337 is significant for organizations using WordPress sites with the MetaSlider plugin installed. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking and unauthorized access. It may also facilitate further attacks like phishing, malware distribution, or defacement. Since Contributor-level users typically have limited privileges, this vulnerability effectively elevates their ability to compromise site integrity and user trust. The confidentiality and integrity of user data are at risk, though availability is not directly impacted. Given MetaSlider’s popularity, many websites globally could be affected, potentially undermining the security posture of organizations relying on this plugin for content presentation. The vulnerability also poses reputational risks and compliance challenges, especially for sites handling personal or sensitive data.

To mitigate CVE-2025-5337, organizations should: 1) Immediately update the MetaSlider plugin to a patched version once released by the vendor. 2) Until a patch is available, restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious input. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'aria-label' parameter. 4) Conduct thorough input validation and output encoding on all user-supplied data, especially accessibility attributes, to prevent script injection. 5) Regularly audit user roles and permissions to ensure least privilege principles are enforced. 6) Monitor website logs and user activity for signs of exploitation or anomalous behavior. 7) Educate site administrators and developers on secure coding practices related to XSS and accessibility features. 8) Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.