flexoslider WordPress Plugin CVE-2025-52764
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marielav flexoslider flexoslider allows Reflected XSS.This issue affects flexoslider: from n/a through <= 1.0004.
AnalysisAI
Reflected cross-site scripting in flexoslider WordPress plugin versions through 1.0004 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers when targets click a malicious link. Successful exploitation requires user interaction but no authentication. The vulnerability has a low EPSS score (0.05%, 17th percentile) indicating minimal observed exploitation activity in the wild, though the scope change in CVSS indicates potential for impact beyond the vulnerable component.
Technical ContextAI
This is a classic reflected XSS vulnerability (CWE-79) in a WordPress slider plugin. The flaw stems from improper input sanitization during web page generation - the plugin fails to adequately encode or validate user-supplied input before reflecting it back in HTTP responses. The CVSS vector (AV:N/AC:L) indicates the vulnerability is network-exploitable with low attack complexity, likely through URL parameters or form inputs that are echoed into HTML output without proper escaping. The scope change (S:C) suggests the JavaScript executes in a different security context than the vulnerable plugin itself, typical of XSS where attacker code runs in the victim's browser session with access to cookies, session tokens, and DOM manipulation capabilities across the WordPress site.
Affected ProductsAI
WordPress flexoslider plugin by marielav, all versions from initial release through version 1.0004. Based on NVD data, the vulnerable version range begins at an unspecified early version (listed as 'n/a') and extends up to and including version 1.0004. Users running any version of flexoslider at or below 1.0004 are affected. The vendor advisory is available at Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Plugin/flexoslider/vulnerability/wordpress-flexoslider-plugin-1-0004-cross-site-scripting-xss-vulnerability). Specific CPE strings were not provided in available data.
RemediationAI
Update flexoslider to a version newer than 1.0004 if a patched release exists. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flexoslider/vulnerability/wordpress-flexoslider-plugin-1-0004-cross-site-scripting-xss-vulnerability for vendor-specific remediation guidance. If no patched version is available or the plugin is abandoned, consider replacing flexoslider with an actively maintained alternative WordPress slider plugin that has undergone recent security auditing. As an interim mitigation, implement Content Security Policy (CSP) headers with strict script-src directives to limit inline JavaScript execution, though this may break legitimate plugin functionality and requires testing. Review Web Application Firewall (WAF) rules to detect and block common XSS patterns in requests to flexoslider endpoints, understanding this is detection-based rather than preventative. Educate users with WordPress admin access about phishing risks and suspicious links, as social engineering is the required delivery mechanism.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today