Skip to main content

Master Slider CVE-2026-56014

| EUVDEUVD-2026-39377 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 Patchstack GHSA-g89j-rqr8-pg94
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Network-reachable unauthenticated XSS requiring victim interaction (UI:R) with browser-context scope change (S:C); Low confidentiality/integrity but no genuine availability impact, so A:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:22 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.

AnalysisAI

Stored or reflected cross-site scripting in the Averta Master Slider WordPress plugin (versions 3.11.2 and earlier) lets unauthenticated remote attackers inject script that executes in a victim's browser, but only after the victim interacts with attacker-supplied content (UI:R). The CVSS:3.1 vector's scope change (S:C) reflects that injected code runs in the browser's trust context rather than the plugin's, enabling session theft or actions on behalf of the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload in plugin parameter
Delivery
Lure victim to crafted link/page
Exploit
Browser renders unsanitized output
Execution
Script executes in victim session
Impact
Steal cookies or perform actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the Master Slider plugin (version 3.11.2 or earlier) to be installed and active on a WordPress site, and the victim must interact with attacker-controlled content (UI:R in the CVSS vector) - typically clicking a crafted link or loading a page containing the injected payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL or input targeting the vulnerable Master Slider parameter and entices a logged-in administrator or site visitor to load it; when the page renders, the injected JavaScript runs in the victim's browser, allowing session cookie theft or unauthorized actions against the WordPress site. Because UI:R is required, the attack depends on social engineering or a malicious link, and no public POC is currently referenced.
Remediation No vendor-released patch version is identified in the provided data; upgrade Master Slider to the first release published after 3.11.2 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/master-slider/vulnerability/wordpress-master-slider-plugin-3-11-2-cross-site-scripting-xss-vulnerability) or the plugin changelog. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using Averta Master Slider v3.11.2 or earlier; temporarily disable the plugin if operational requirements permit. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-6490 MEDIUM POC
6.5 Jul 26

During testing of the Master Slider WordPress plugin through 3.9.10, a CSRF vulnerability was found, which allows an una

CVE-2018-20368 MEDIUM POC
5.4 Dec 23

The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the M

CVE-2024-0611 MEDIUM POC
4.4 Mar 02

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sl

CVE-2024-32600 HIGH
8.3 Apr 18

Deserialization of Untrusted Data vulnerability in Averta Master Slider.9.5. Rated high severity (CVSS 8.3), this vulner

CVE-2023-47506 HIGH
7.6 Dec 18

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Master slider Mast

CVE-2024-12173 LOW POC
3.5 Feb 19

The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow hi

CVE-2024-32580 MEDIUM
6.5 Apr 18

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slid

CVE-2023-6382 MEDIUM
6.4 Jun 01

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2024-4470 MEDIUM
6.4 May 21

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2024-4375 MEDIUM
6.4 Jun 18

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2024-1449 MEDIUM
6.4 Mar 02

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2024-13757 MEDIUM
6.4 Mar 05

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

Share

CVE-2026-56014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy