Skip to main content

CVE-2025-68879

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-29 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in councilsoft Content Grid Slider content-grid-slider allows Reflected XSS.This issue affects Content Grid Slider: from n/a through <= 1.5.

AnalysisAI

Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin that displays content grids with image sliders. The vulnerability stems from insufficient input validation and output encoding in the Content Grid Slider plugin's page generation logic. When user-supplied input is included in HTTP responses without proper HTML encoding or sanitization, attackers can inject arbitrary JavaScript code into the response. The vulnerability is reflected rather than stored, meaning the malicious payload must be delivered via a crafted URL that the victim visits, rather than being permanently stored in the plugin's database. The affected product is identified by CPE wordpress#content-grid-slider (or similar WordPress plugin identifier) through version 1.5.

Affected ProductsAI

The Content Grid Slider WordPress plugin is affected in all versions from the earliest release through version 1.5. The plugin is hosted on the WordPress plugin repository and identified via Patchstack as a WordPress plugin for content display. Affected installations include any WordPress site running Content Grid Slider version 1.5 or earlier.

RemediationAI

Update the Content Grid Slider plugin to a version newer than 1.5 immediately when available from the WordPress plugin repository or the vendor. Consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/content-grid-slider/vulnerability/wordpress-content-grid-slider-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for patch availability and release notes. As a temporary workaround, restrict plugin functionality or disable the vulnerable feature until patched. Website administrators should also review Web Application Firewall (WAF) rules to detect and block reflected XSS payloads targeting the plugin's input parameters.

Share

CVE-2025-68879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy