CVE-2025-22330

The MG Parallax Slider plugin for WordPress versions up to and including 1.0 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code into web pages served by the plugin.

Exploitation requires a privileged user to interact with a crafted link or form, such as clicking a malicious URL or visiting a prepared page. No special network position is needed, as the attack can be delivered remotely via email, social media, or other channels [1]. The attacker does not require authentication beyond the target user's existing session.

Successful exploitation allows the attacker to execute malicious scripts in the context of the victim's browser session. This can lead to redirection to attacker-controlled sites, injection of advertisements, or theft of sensitive information from the authenticated user's session [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting multiple websites.

Mitigation is available through Patchstack's automatic rule, which blocks attacks until an official patch is released. The recommended immediate action is to update the plugin to a patched version once available, or to contact a hosting provider or web developer for assistance [1].