Skip to main content

Flashfader WordPress Plugin CVE-2025-27279

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:50 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Flashfader allows Reflected XSS. This issue affects Flashfader: from n/a through 1.1.1.

AnalysisAI

Reflected cross-site scripting in Flashfader WordPress plugin through version 1.1.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is low (0.09%, 26th percentile) with no confirmed active exploitation (not in CISA KEV). Patchstack vulnerability database lists this as a reflected XSS requiring social engineering or phishing to trick users into clicking malicious links. The changed scope (S:C) in CVSS indicates potential for cross-context attacks including session hijacking or privilege escalation within WordPress admin environments.

Technical ContextAI

This vulnerability stems from improper neutralization of user-controlled input (CWE-79) during web page generation in the Flashfader WordPress plugin. Flashfader is a slideshow/image rotation plugin for WordPress installations. Reflected XSS occurs when attacker-controlled data is immediately returned in HTTP responses without proper sanitization, encoding, or validation. The network attack vector (AV:N) combined with low complexity (AC:L) indicates the vulnerable endpoint accepts malicious payloads through URL parameters or form inputs that are reflected back into HTML context without escaping. The changed scope (S:C) suggests the injected script can access resources beyond the vulnerable component's security context, potentially affecting WordPress admin sessions or other plugins sharing the same origin.

Affected ProductsAI

Flashfader WordPress plugin versions through 1.1.1 are confirmed vulnerable per Patchstack database analysis. The CPE identifier would follow the pattern cpe:2.3:a:notfound:flashfader:*:*:*:*:*:wordpress:*:* with version constraints up to and including 1.1.1. This affects WordPress installations running any version of Flashfader from the earliest available release through version 1.1.1. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/flashfader/vulnerability/wordpress-flashfader-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability provides technical details for affected versions.

RemediationAI

Primary remediation is to remove or replace Flashfader plugin with actively maintained alternatives, as version 1.1.1 appears to be the latest release with no confirmed patched version identified in WordPress plugin repository or vendor channels. If business requirements mandate continued use, implement compensating controls: configure Web Application Firewall (WAF) rules to block common XSS payloads in query parameters and POST bodies (trade-off: may cause false positives blocking legitimate content with special characters); implement Content Security Policy (CSP) headers with 'script-src self' to prevent inline script execution (trade-off: may break plugin functionality if it relies on inline scripts); restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules (trade-off: impacts remote administration capability); enable WordPress security plugins like Wordfence or Sucuri that provide virtual patching for XSS vulnerabilities (trade-off: performance overhead and subscription costs). Monitor Patchstack advisory at https://patchstack.com/database/wordpress/plugin/flashfader for patch release announcements. For critical environments, audit plugin source code to identify and manually patch vulnerable input handling in PHP files, though this requires ongoing maintenance for WordPress core updates.

Share

CVE-2025-27279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy