CVE-2025-8690

The Simple Responsive Slider plugin for WordPress, versions up to and including 2.0, suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping, allowing arbitrary web script injection through the plugin's input fields.

An attacker must have at least Contributor-level access to the WordPress site to exploit this flaw. Once injected, the malicious script is stored and executed whenever a user (including administrators) accesses the affected page. No additional authentication or network position is required beyond the initial Contributor access.

Successful exploitation permits the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, effectively compromising the integrity and confidentiality of the vulnerable WordPress instance.

As of August 7, 2025, the plugin has been closed and is no longer available for download [1]. Users should remove the plugin entirely from their sites to mitigate the risk. No patch is available as the plugin has been permanently removed.