CVE-2025-13153
BaseFortify
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | logo_slider | to 4.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13153 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Logo Slider plugin versions before 4.9.0. The plugin does not properly validate and escape certain slider option inputs, specifically several Carousel navigation color settings, before displaying them in the WordPress admin dashboard. This allows users with Contributor role or higher to inject malicious JavaScript code that is stored and executed within the dashboard interface, potentially compromising the site or user data. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor or higher privileges to inject and execute malicious JavaScript code in the WordPress admin dashboard. This can lead to unauthorized actions such as stealing cookies, session hijacking, or performing actions on behalf of other users, potentially compromising the security and integrity of the website and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the Logo Slider plugin with a version prior to 4.9.0. Additionally, testing for the vulnerability involves logging in as a user with Contributor role or higher and attempting to inject a JavaScript payload into the Carousel navigation color settings (e.g., Nav Color, Nav Hover Color, Background Color, etc.) via the Shortcode Generator slider options. A sample payload to test is: " autofocus onfocus=\"alert(document.cookie)\". If the alert triggers upon submission, the vulnerability is present. There are no specific network commands provided, but verifying plugin version and attempting this injection in the admin dashboard are the detection methods. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Logo Slider WordPress plugin to version 4.9.0 or later, where the vulnerability has been fixed. Until the update can be applied, restrict Contributor role users from accessing the plugin's slider options or dashboard areas where the injection can occur. Additionally, consider applying web application firewall (WAF) rules to block suspicious input patterns in the affected fields. [1]