CVE-2025-12590: 
WordPress vulnerability analysis and mitigation

The YSlider WordPress plugin (versions up to and including 1.1) contains a vulnerability identified as CVE-2025-12590, discovered and disclosed on November 10, 2025. The vulnerability combines Cross-Site Request Forgery (CSRF) with Stored Cross-Site Scripting (XSS) affecting the content configuration page of the plugin (NVD).

The vulnerability stems from two key security issues: missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness has been categorized as CWE-352 (Cross-Site Request Forgery) (NVD, AttackerKB).

When successfully exploited, the vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages through forged requests. These injected scripts will execute whenever any user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD).

Users should update their YSlider plugin to a version newer than 1.1 once a patch becomes available. In the meantime, website administrators should consider disabling the plugin if it's not critical to their operations (NVD).