CVE-2025-5125: 
WordPress vulnerability analysis and mitigation

The Custom Post Carousels with Owl WordPress plugin before version 1.4.12 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on May 30, 2025. The issue affects the plugin's implementation of the featherlight library, specifically in how it handles the data-featherlight attribute without proper sanitization (WPScan, NVD).

The vulnerability stems from insufficient input sanitization of the data-featherlight attribute when using the featherlight library. The issue is classified as a Stored XSS vulnerability and is tracked as CWE-79. The vulnerability affects users with Contributor-level access and above, allowing them to inject malicious scripts that execute when other users view the affected content (WPScan).

When exploited, this vulnerability allows authenticated users with Contributor-level access or higher to inject malicious JavaScript code that executes in the context of other users' browsers when they view the affected content. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been fixed in version 1.4.12 of the Custom Post Carousels with Owl WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).