Skip to main content

Master Slider CVE-2026-48968

| EUVDEUVD-2026-32155 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-7v44-gwjr-vp5c
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 22:20 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS.

This issue affects Master Slider: from n/a through 3.10.8.

AnalysisAI

DOM-Based Cross-Site Scripting in the Averta Master Slider WordPress plugin (versions through 3.10.8) enables authenticated low-privilege users to inject persistent malicious scripts that execute in the browsers of other site visitors. The CVSS Scope:Changed flag (S:C) confirms the injected payload can escape the plugin's context and affect the broader browser environment, enabling session hijacking or admin action forgery against higher-privileged users. No public exploit code exists and EPSS at 0.03% (10th percentile) aligns with SSVC's 'Exploitation: none' classification - this is a real but moderate-priority finding gated behind authentication and victim interaction requirements.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) covers cases where user-supplied data is written into the DOM or HTTP response without adequate sanitization or output encoding. The DOM-Based variant specifically means the vulnerability is triggered client-side via JavaScript - the browser itself processes unsanitized input and modifies the DOM, without the malicious payload necessarily appearing in the server's HTTP response, which can bypass some server-side WAF rules. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:C confirms the flaw is network-reachable with low attack complexity, requires a low-privilege authenticated session to inject content, and requires a separate victim to trigger execution. The Scope:Changed designation is significant for WordPress plugins: it indicates that script injected via the plugin context can access cookies, localStorage, and DOM elements belonging to the broader WordPress application, not just the plugin's isolated iframe or component. No CPE string was provided in the input data; the affected product is identified by vendor name (Averta) and plugin slug (master-slider) per the Patchstack advisory.

RemediationAI

Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/master-slider/vulnerability/wordpress-master-slider-plugin-3-10-8-cross-site-scripting-xss-vulnerability?_s_id=cve for the confirmed patched release - no exact fixed version number was present in the available input data, so 'Patch available per vendor advisory' is the highest confidence statement supportable here; administrators should update Master Slider to the latest version available in the WordPress plugin repository immediately and verify the installed version exceeds 3.10.8. As a compensating control pending patching, restrict WordPress Contributor and Author role assignments exclusively to fully trusted users, since PR:L in the CVSS vector means any low-privilege account with slider content creation rights is sufficient to inject a payload - revoking untrusted contributor access removes the injection vector entirely without plugin downtime. A WAF rule targeting unsanitized DOM-sink patterns in slider-related POST parameters can reduce exploitation surface but may interfere with legitimate slider configuration; test in staging before production deployment.

Share

CVE-2026-48968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy