CVE-2025-60133

The PE Easy Slider plugin for WordPress, up to version 1.1.0, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows an attacker with sufficient privileges (e.g., Editor or Author) to inject arbitrary HTML and JavaScript code into slider content, which is then stored on the server and executed when other users or visitors view the affected page [1].

Exploitation requires the attacker to have a WordPress account with the ability to create or edit slider entries. The injected payload is stored and later triggered without further user interaction from the victim, making it a classic stored XSS scenario. The vulnerability is rated Medium (CVSS 5.9) and is known to be used in mass-exploit campaigns targeting thousands of sites [1].

Successful exploitation enables the attacker to perform actions such as redirect visitors to malicious sites, display fake advertisements, steal session cookies, or deface the website. Because the script executes in the context of the victim's browser, it can also be used to escalate privileges if an administrator views the infected page [1].

As of the advisory date, the vendor has not released a patched version. Users are strongly advised to update the plugin immediately if a fix becomes available, or to disable and remove the plugin as a workaround. Site administrators should also review user roles and limit slider editing privileges to trusted users only [1].