CVE-2025-1203: 
WordPress vulnerability analysis and mitigation

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before version 3.95.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on March 24, 2025, and was assigned identifier CVE-2025-1203. This security issue affects WordPress installations using the MetaSlider plugin, particularly in multisite setups (NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users, such as editors, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring high privileges and user interaction (WPScan).

When exploited, this vulnerability could allow privileged users to inject malicious JavaScript code that executes in other users' browsers when viewing affected pages. This could lead to unauthorized actions being performed on behalf of other users, potential data theft, or manipulation of the website's content (NVD).

The vulnerability has been patched in version 3.95.0 of the MetaSlider plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).