Skip to main content

CVE-2025-62097

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in seothemes SEO Slider seo-slider allows DOM-Based XSS.This issue affects SEO Slider: from n/a through <= 1.1.1.

AnalysisAI

DOM-based cross-site scripting (XSS) in SEO Slider WordPress plugin through version 1.1.1 allows authenticated or unauthenticated attackers to inject malicious scripts into the DOM, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 1.1.1 and has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the XSS attack vector. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

DOM-based XSS (CWE-79) occurs when user-supplied input is processed and rendered in the browser's Document Object Model without proper sanitization or encoding. This is distinct from reflected or stored XSS because the vulnerability exists entirely in client-side JavaScript logic. SEO Slider, a WordPress plugin for creating responsive image sliders with SEO metadata, fails to neutralize untrusted input when constructing the DOM, allowing an attacker to break out of intended context and execute arbitrary JavaScript in the victim's browser with the privileges of the logged-in user or visitor. The vulnerability likely exists in slider configuration parameters, URL parameters, or shortcode attributes that are processed client-side.

Affected ProductsAI

SEO Slider WordPress plugin versions from the earliest tracked version through and including 1.1.1 are affected. The plugin is identified by vendor seothemes and is available via the WordPress plugin repository. Affected users should consult the Patchstack vulnerability database entry for version confirmation and advisory details.

RemediationAI

Update SEO Slider to a patched version released after 1.1.1. Check the official WordPress plugin repository or seothemes website for the latest available version, as the exact fixed version number is not specified in available data. In the interim, site administrators should restrict plugin access to trusted users, disable the plugin if not actively used, and implement Content Security Policy (CSP) headers on the WordPress site to mitigate XSS impact. Refer to the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/seo-slider/ for vendor-specific remediation guidance and confirmed patch version.

Share

CVE-2025-62097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy