CVE-2025-5337: 
WordPress vulnerability analysis and mitigation

The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5337) that affects versions up to and including 3.98.0. The vulnerability was discovered and disclosed on June 14, 2025, affecting authenticated users with Contributor-level access and above (NVD CVE, Wiz Report).

The vulnerability stems from insufficient input sanitization and output escaping of the 'aria-label' parameter in the MetaSlider plugin. It has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD CVE, Wiz Report).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of site visitors (NVD CVE).

The vulnerability has been patched in version 3.99.0 of the MetaSlider plugin. The fix includes proper sanitization of the aria-label parameter through JavaScript (WordPress Plugin, MetaSlider Script).