Skip to main content

WEN Logo Slider CVE-2025-62127

| EUVDEUVD-2025-209712 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 Patchstack GHSA-3jg8-qc6x-c493
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 09:01 vuln.today
CVE Published
May 07, 2026 - 07:54 nvd
MEDIUM 5.9

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS.

This issue affects WEN Logo Slider: from n/a through 3.4.0.

AnalysisAI

DOM-based cross-site scripting (XSS) in WEN Logo Slider WordPress plugin through version 3.4.0 allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors when the UI redirects the page, potentially compromising site integrity and user data. The vulnerability requires high-privilege administrator access and user interaction (page redirect), limiting its practical scope to insider threats or compromised admin accounts.

Technical ContextAI

WEN Logo Slider is a WordPress plugin that manages logo carousels. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), specifically in DOM-based XSS scenarios. The plugin fails to properly sanitize or escape input before it is used in client-side JavaScript execution contexts, allowing attackers with administrator privileges to craft malicious payloads. DOM-based XSS differs from reflected/stored XSS in that the vulnerability exists in client-side code logic rather than server-side rendering, making detection via traditional server logs difficult.

RemediationAI

Update WEN Logo Slider to a version newer than 3.4.0 released by WEN Themes. WordPress administrators should navigate to their plugin management dashboard, locate WEN Logo Slider, and apply the available update immediately. If a patched version is not yet available, implement access controls by restricting administrator role assignment to trusted users only, enforce multi-factor authentication on all administrator accounts to prevent unauthorized access, and audit plugin settings and logo slider configurations for any suspicious modifications. The Patchstack advisory should be consulted for specific patched version availability. Since exploitation requires high-privilege access combined with user interaction, sites with strictly controlled administrator access face minimal risk during the patching window.

Share

CVE-2025-62127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy