CVE-2025-62121
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Logo Slider , Logo Carousel , Logo showcase , Client Logo tc-logo-slider allows Stored XSS.This issue affects Logo Slider , Logo Carousel , Logo showcase , Client Logo: from n/a through <= 1.8.1.
Analysis
Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.
Technical Context
This vulnerability is rooted in CWE-79: Improper Neutralization of Input During Web Page Generation, specifically the stored XSS variant. The tc-logo-slider plugin fails to properly sanitize and escape user-supplied input before storing it in the database and rendering it on the front-end. When the plugin retrieves and displays logo data, stored malicious JavaScript is executed in the context of the WordPress site without validation or output encoding, allowing script injection. The affected CPE is likely cpe:2.3:a:imran_emu:tc-logo-slider:*:*:*:*:*:wordpress:*:* with versions up to and including 1.8.1.
Affected Products
The Imran Emu Logo Slider plugin, marketed under multiple names including Logo Carousel, Logo Showcase, and Client Logo (all variants of tc-logo-slider), is affected in versions 1.8.1 and earlier. The plugin is distributed via WordPress.org plugin repository. No specific CPE version range is provided in advisory data, but the vulnerability applies to all releases from the plugin's initial version through 1.8.1 inclusive. Affected WordPress installations using any variant of this plugin with versions at or below 1.8.1 require immediate patching.
Remediation
Update the tc-logo-slider plugin to a version newer than 1.8.1. Consult the official Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/tc-logo-slider/vulnerability/wordpress-logo-slider-logo-carousel-logo-showcase-client-logo-plugin-1-8-1-cross-site-scripting-xss-vulnerability for the exact patched version number and installation instructions. If a patched version is not yet available from the plugin vendor, immediately disable the plugin and replace it with an alternative logo display solution, or restrict author/editor capabilities on your WordPress site to limit the attack surface for authenticated injection. After patching, audit plugin settings and user-generated content for any injected scripts and remove them.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today