CVE-2025-68868

2025-12-29 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codeaffairs Wp Text Slider Widget wp-text-slider-widget allows Stored XSS.This issue affects Wp Text Slider Widget: from n/a through <= 1.0.

Analysis

Stored cross-site scripting (XSS) in codeaffairs Wp Text Slider Widget plugin for WordPress versions 1.0 and earlier enables authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users. The vulnerability arises from improper input sanitization during widget configuration, allowing persistent code injection through the plugin's admin interface.

Technical Context

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a foundational XSS weakness. The affected plugin is a WordPress widget component that allows users to create and manage text slider content. The root cause involves failure to properly sanitize or escape user-supplied input when generating the widget's front-end output, resulting in stored XSS. Attackers with access to the WordPress admin dashboard (typically plugin/theme editors or administrators) can embed malicious JavaScript within widget settings that persists in the database and executes whenever the widget is rendered for any site visitor, including high-privilege users.

Affected Products

The Wp Text Slider Widget plugin by codeaffairs for WordPress is affected in version 1.0 and earlier. The plugin is distributed through the WordPress plugin repository. No CPE string was provided in available data, but the plugin can be identified via the WordPress plugin ecosystem under the name wp-text-slider-widget.

Remediation

Update the Wp Text Slider Widget plugin to a patched version released after 1.0. Consult the plugin's WordPress.org plugin page or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-text-slider-widget/vulnerability/wordpress-wp-text-slider-widget-plugin-1-0-cross-site-scripting-xss-vulnerability for the specific patched version number. As an interim mitigation, restrict admin dashboard access to trusted users only and audit existing widget configurations for suspicious content. Disable the plugin entirely if a patched version is not yet available and the plugin is non-critical to site functionality.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-68868 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy