CVE-2025-13153
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: WPScan

Description
The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13153
EUVD
EUVD-2026-0714
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor logo_slider to 4.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13153 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Logo Slider plugin versions before 4.9.0. The plugin does not properly validate and escape certain slider option inputs, specifically several Carousel navigation color settings, before displaying them in the WordPress admin dashboard. This allows users with Contributor role or higher to inject malicious JavaScript code that is stored and executed within the dashboard interface, potentially compromising the site or user data. [1]

Impact Analysis

This vulnerability can allow an attacker with Contributor or higher privileges to inject and execute malicious JavaScript code in the WordPress admin dashboard. This can lead to unauthorized actions such as stealing cookies, session hijacking, or performing actions on behalf of other users, potentially compromising the security and integrity of the website and its users. [1]

Detection Guidance

This vulnerability can be detected by checking if the WordPress site is running the Logo Slider plugin with a version prior to 4.9.0. Additionally, testing for the vulnerability involves logging in as a user with Contributor role or higher and attempting to inject a JavaScript payload into the Carousel navigation color settings (e.g., Nav Color, Nav Hover Color, Background Color, etc.) via the Shortcode Generator slider options. A sample payload to test is: " autofocus onfocus=\"alert(document.cookie)\". If the alert triggers upon submission, the vulnerability is present. There are no specific network commands provided, but verifying plugin version and attempting this injection in the admin dashboard are the detection methods. [1]

Mitigation Strategies

The immediate mitigation step is to update the Logo Slider WordPress plugin to version 4.9.0 or later, where the vulnerability has been fixed. Until the update can be applied, restrict Contributor role users from accessing the plugin's slider options or dashboard areas where the injection can occur. Additionally, consider applying web application firewall (WAF) rules to block suspicious input patterns in the affected fields. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart