CVE-2025-7501: 
WordPress vulnerability analysis and mitigation

The Wonder Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via image title and description DOM in versions up to and including 14.4. The vulnerability was discovered and disclosed on July 25, 2025, and was assigned CVE-2025-7501 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the Wonder Slider Lite WordPress plugin. This security flaw affects the handling of image titles and descriptions in the DOM. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to compromised user sessions and unauthorized actions (NVD).

The vulnerability has been patched in version 14.5 of the Wonder Slider Lite plugin. The update includes improved HTML sanitization in image titles, descriptions, and alt text. Users are advised to update to version 14.5 or later to protect against this vulnerability (WordPress Plugin).