Skip to main content

flexoslider WordPress Plugin CVE-2025-52764

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:54 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marielav flexoslider flexoslider allows Reflected XSS.This issue affects flexoslider: from n/a through <= 1.0004.

AnalysisAI

Reflected cross-site scripting in flexoslider WordPress plugin versions through 1.0004 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers when targets click a malicious link. Successful exploitation requires user interaction but no authentication. The vulnerability has a low EPSS score (0.05%, 17th percentile) indicating minimal observed exploitation activity in the wild, though the scope change in CVSS indicates potential for impact beyond the vulnerable component.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79) in a WordPress slider plugin. The flaw stems from improper input sanitization during web page generation - the plugin fails to adequately encode or validate user-supplied input before reflecting it back in HTTP responses. The CVSS vector (AV:N/AC:L) indicates the vulnerability is network-exploitable with low attack complexity, likely through URL parameters or form inputs that are echoed into HTML output without proper escaping. The scope change (S:C) suggests the JavaScript executes in a different security context than the vulnerable plugin itself, typical of XSS where attacker code runs in the victim's browser session with access to cookies, session tokens, and DOM manipulation capabilities across the WordPress site.

Affected ProductsAI

WordPress flexoslider plugin by marielav, all versions from initial release through version 1.0004. Based on NVD data, the vulnerable version range begins at an unspecified early version (listed as 'n/a') and extends up to and including version 1.0004. Users running any version of flexoslider at or below 1.0004 are affected. The vendor advisory is available at Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Plugin/flexoslider/vulnerability/wordpress-flexoslider-plugin-1-0004-cross-site-scripting-xss-vulnerability). Specific CPE strings were not provided in available data.

RemediationAI

Update flexoslider to a version newer than 1.0004 if a patched release exists. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flexoslider/vulnerability/wordpress-flexoslider-plugin-1-0004-cross-site-scripting-xss-vulnerability for vendor-specific remediation guidance. If no patched version is available or the plugin is abandoned, consider replacing flexoslider with an actively maintained alternative WordPress slider plugin that has undergone recent security auditing. As an interim mitigation, implement Content Security Policy (CSP) headers with strict script-src directives to limit inline JavaScript execution, though this may break legitimate plugin functionality and requires testing. Review Web Application Firewall (WAF) rules to detect and block common XSS patterns in requests to flexoslider endpoints, understanding this is detection-based rather than preventative. Educate users with WordPress admin access about phishing risks and suspicious links, as social engineering is the required delivery mechanism.

Share

CVE-2025-52764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy