CVE-2025-66092

Vulnerability

Overview

The Accordion Slider plugin for WordPress versions 1.9.13 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables attackers with contributor-level privileges or higher to inject arbitrary JavaScript or HTML into the plugin's slider content, which is then stored and executed when other users view the affected page.

Exploitation

Conditions

Exploitation requires an authenticated user with at least contributor role permissions to submit crafted input through the plugin's interface. The attack does not require direct user interaction from the victim beyond normal page viewing, but the initial injection step does require a privileged user action (e.g., saving slider settings) [1]. This makes the vulnerability suitable for mass exploitation campaigns targeting thousands of WordPress sites simultaneously.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of a visitor's browser session. This can be used to redirect users to malicious sites, display unauthorized advertisements, steal session cookies, or deface the website [1]. The stored nature of the XSS means the payload persists across sessions, affecting all subsequent page loads, and can affect all site visitors until the malicious content is removed.

Mitigation

The vendor has released version 1.9.14 which resolves the vulnerability by properly sanitizing input before rendering [1]. Users are strongly advised to update immediately. For sites that cannot be updated, Patchstack users can enable auto-updates for vulnerable plugins. No workarounds other than updating or disabling the plugin are currently available [1].