CVE-2025-5125
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-07-11
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| howardehrenberg | custom_post_carousels_with_owl | to 1.4.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can allow an attacker with contributor-level access to inject malicious JavaScript code into the website. When other users click on the affected elements, the malicious script executes, potentially leading to unauthorized actions such as session hijacking, defacement, or theft of sensitive information. This can compromise the security and integrity of the website and its users. [1]
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the WordPress plugin "Custom Post Carousels with Owl" versions before 1.4.12. It occurs because the plugin uses the featherlight library and processes the data-featherlight attribute without properly sanitizing it. This allows an authenticated contributor-level user to inject malicious JavaScript code that executes when other users interact with the affected content. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is using the Custom Post Carousels with Owl plugin version prior to 1.4.12. Additionally, you can look for posts or content containing the shortcode [dd-owl-carousel id="..."] with anchor tags that include the data-featherlight attribute containing suspicious or encoded JavaScript payloads. For example, searching the WordPress database for occurrences of 'data-featherlight' with suspicious content can help detect exploitation attempts. There are no specific network commands provided, but inspecting the WordPress admin interface for the plugin version and reviewing carousel content for injected scripts is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Custom Post Carousels with Owl WordPress plugin to version 1.4.12 or later, where the vulnerability is fixed. Additionally, review and sanitize any existing carousel content that may contain malicious data-featherlight attributes to prevent stored XSS execution. Restrict contributor-level user permissions if possible until the update is applied to reduce the risk of malicious script injection. [1]