CVE-2025-68879
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in councilsoft Content Grid Slider content-grid-slider allows Reflected XSS.This issue affects Content Grid Slider: from n/a through <= 1.5.
Analysis
Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.
Technical Context
This is a reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin that displays content grids with image sliders. The vulnerability stems from insufficient input validation and output encoding in the Content Grid Slider plugin's page generation logic. When user-supplied input is included in HTTP responses without proper HTML encoding or sanitization, attackers can inject arbitrary JavaScript code into the response. The vulnerability is reflected rather than stored, meaning the malicious payload must be delivered via a crafted URL that the victim visits, rather than being permanently stored in the plugin's database. The affected product is identified by CPE wordpress#content-grid-slider (or similar WordPress plugin identifier) through version 1.5.
Affected Products
The Content Grid Slider WordPress plugin is affected in all versions from the earliest release through version 1.5. The plugin is hosted on the WordPress plugin repository and identified via Patchstack as a WordPress plugin for content display. Affected installations include any WordPress site running Content Grid Slider version 1.5 or earlier.
Remediation
Update the Content Grid Slider plugin to a version newer than 1.5 immediately when available from the WordPress plugin repository or the vendor. Consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/content-grid-slider/vulnerability/wordpress-content-grid-slider-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for patch availability and release notes. As a temporary workaround, restrict plugin functionality or disable the vulnerable feature until patched. Website administrators should also review Web Application Firewall (WAF) rules to detect and block reflected XSS payloads targeting the plugin's input parameters.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today