CVE-2025-24533

A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the MetaSlider Responsive Slider by MetaSlider plugin for WordPress, affecting all versions from n/a through 3.92.0 [1]. The issue stems from insufficient validation of HTTP requests, enabling an attacker to craft malicious requests that are processed by a privileged user's browser without their consent.

To exploit this vulnerability, an attacker must trick a logged-in administrator or other privileged user into clicking a crafted link, visiting a specially prepared page, or submitting a malicious form [1]. No direct authentication is required for the attacker, but the target must have an active session, and user interaction is necessary. This CSRF vector can be used to force the victim to perform unintended actions, such as changing plugin settings or performing other state-changing operations under their current authentication [1].

Successful exploitation could allow a malicious actor to execute unwanted actions with the privileges of the targeted user, potentially leading to unauthorized modifications within the WordPress site [1]. The CVSS v3 score of 5.4 (Medium) reflects the need for user interaction and the scope of impact. While the advisory notes a low severity and low likelihood of exploitation, such CSRF flaws are occasionally used in broader attack campaigns [1].

As a mitigation, the vendor has released version 3.92.1 which resolves the vulnerability [1]. Users are advised to update to the latest version immediately. For those unable to update, enabling auto-updates (where supported) or consulting a hosting provider is recommended. No other workarounds have been documented.