CVE-2025-49290

Vulnerability

Overview The Off-Canvas Sidebars & Menus (Slidebars) plugin for WordPress, versions 0.5.8.4 and earlier, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a vulnerable page, which then executes in the browser of a victim who visits the crafted URL.

Exploitation

Conditions Exploitation does not require authentication from the attacker, but successful compromise depends on a privileged user (such as an administrator) performing an action—such as clicking a malicious link, visiting a specially crafted page, or submitting a form [1]. The attack is reflected, meaning the malicious payload is not stored on the server but is delivered via a crafted request and reflected back in the response.

Impact

If exploited, an attacker can inject malicious scripts that may result in redirects, display of advertisements, or other HTML payloads when site visitors access the affected page [1]. This type of vulnerability is moderately dangerous and can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vulnerability is fixed in version 0.5.8.5 of the plugin [1]. Users are strongly advised to update immediately. Where immediate update is not possible, security tools like Patchstack provide a mitigation rule to block attacks until the patched version is applied [1].