CVE-2025-14278
Stored XSS in HT Slider for Elementor Plugin Allows Script Injection
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ht_slider | elementor | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the HT Slider for Elementor WordPress plugin. It occurs via the 'slide_title' parameter in versions up to 1.7.4 due to insufficient input sanitization and output escaping in JavaScript. Authenticated users with Contributor-level access or higher can inject malicious scripts that execute when other users view the affected pages.
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access to inject arbitrary scripts into web pages, which execute when other users access those pages. This can lead to unauthorized actions, data theft, session hijacking, or defacement, impacting the security and integrity of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the WordPress site is running the HT Slider for Elementor plugin version 1.7.4 or earlier, which is vulnerable to stored XSS via the 'slide_title' parameter. Detection involves checking the plugin version and inspecting pages or inputs where slide titles are used. Since the vulnerability involves stored cross-site scripting in slide titles, you can look for suspicious or unexpected script tags or JavaScript code in slide titles or pagination bullets. Commands to detect the plugin version on the server include: 1) Using WP-CLI: `wp plugin get ht-slider-for-elementor --field=version` to check the installed version. 2) Searching for the plugin folder and reading the version from the plugin's main PHP file. Additionally, scanning HTTP responses for unescaped or unsanitized slide titles containing script tags can help detect exploitation. Network detection might involve monitoring HTTP responses for injected scripts in pages using the slider. However, no specific detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the HT Slider for Elementor plugin to version 1.7.5 or later, which includes fixes for the stored cross-site scripting vulnerability by properly escaping slide titles and improving input sanitization. This update addresses the XSS issue by escaping HTML special characters in slide titles and improving JavaScript handling to prevent script injection. Additionally, ensure that only trusted users have Contributor-level access or higher, as the vulnerability requires authenticated access at that level. If updating immediately is not possible, restrict user permissions and monitor for suspicious activity related to slide titles. Applying the official patch or update is the recommended and effective mitigation. [2]