Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated XSS requiring victim interaction (UI:R) with browser-context scope change (S:C); Low confidentiality/integrity but no genuine availability impact, so A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.
AnalysisAI
Stored or reflected cross-site scripting in the Averta Master Slider WordPress plugin (versions 3.11.2 and earlier) lets unauthenticated remote attackers inject script that executes in a victim's browser, but only after the victim interacts with attacker-supplied content (UI:R). The CVSS:3.1 vector's scope change (S:C) reflects that injected code runs in the browser's trust context rather than the plugin's, enabling session theft or actions on behalf of the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Master Slider plugin (version 3.11.2 or earlier) to be installed and active on a WordPress site, and the victim must interact with attacker-controlled content (UI:R in the CVSS vector) - typically clicking a crafted link or loading a page containing the injected payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious URL or input targeting the vulnerable Master Slider parameter and entices a logged-in administrator or site visitor to load it; when the page renders, the injected JavaScript runs in the victim's browser, allowing session cookie theft or unauthorized actions against the WordPress site. Because UI:R is required, the attack depends on social engineering or a malicious link, and no public POC is currently referenced. |
| Remediation | No vendor-released patch version is identified in the provided data; upgrade Master Slider to the first release published after 3.11.2 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/master-slider/vulnerability/wordpress-master-slider-plugin-3-11-2-cross-site-scripting-xss-vulnerability) or the plugin changelog. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations using Averta Master Slider v3.11.2 or earlier; temporarily disable the plugin if operational requirements permit. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Master Slider
View allDuring testing of the Master Slider WordPress plugin through 3.9.10, a CSRF vulnerability was found, which allows an una
The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the M
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sl
Deserialization of Untrusted Data vulnerability in Averta Master Slider.9.5. Rated high severity (CVSS 8.3), this vulner
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Master slider Mast
The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow hi
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slid
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39377
GHSA-g89j-rqr8-pg94