Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 - Reflected Cross-Site Scripting

Wordfence Intelligence   >   Vulnerability Database   >   Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 - Reflected Cross-Site Scripting
6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE CVE-2023-1473
CVSS 6.1 (Medium)
Publicly Published March 20, 2023
Last Updated January 22, 2024
Researcher Erwan LR - WPScan

Description

The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Software Type Plugin
Software Slug ml-slider (view on wordpress.org)
Patched? Yes
Remediation Update to version 3.29.1, or a newer patched version
Affected Version
  • <= 3.29.0
Patched Version
  • 3.29.1

Recent vulnerabilities in Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) PHP Object Injection
6.6
CVE-2026-39467
Apr 20, 2026
Researcher: daroo
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) Remote Code Execution
7.2
CVE-2026-39465
Apr 20, 2026
Researcher: Marc-André Beaulieu (h3dg3h0g)
Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter
6.4
CVE-2025-5337
Jun 13, 2025
Researcher: Asaf Mozes
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2025-1203
Mar 2, 2025
Researcher: Dmitrii Ignatyev
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2025-1062
Mar 2, 2025
Researcher: Dmitrii Ignatyev
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Editor+) PHP Object Injection
7.2
CVE-2025-26763
Feb 14, 2025
Researcher: Le Ngoc Anh
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.92.0 - Cross-Site Request Forgery
4.3
CVE-2025-24533
Nov 9, 2024
Researcher: Rafie Muhammad
Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows <= 3.70.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via metaslider Shortcode
6.4
CVE-2024-3285
Apr 10, 2024
Researcher: wesley (wcraft)
Appsero <= 1.2.1 - Missing Authorization
4.3
CVE ID Unknown
Dec 16, 2022
Researchers:
Appsero <= 1.2.0 - Cross-Site Request Forgery
4.3
CVE-2022-47150
Dec 14, 2022
Researcher: István Márton
# Title CVE ID CVSS Researchers Date
1 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) PHP Object Injection CVE-2026-39467 6.6 daroo April 20, 2026
2 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) Remote Code Execution CVE-2026-39465 7.2 Marc-André Beaulieu (h3dg3h0g) April 20, 2026
3 Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter CVE-2025-5337 6.4 Asaf Mozes June 13, 2025
4 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2025-1203 4.4 Dmitrii Ignatyev March 2, 2025
5 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2025-1062 4.4 Dmitrii Ignatyev March 2, 2025
6 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Editor+) PHP Object Injection CVE-2025-26763 7.2 Le Ngoc Anh February 14, 2025
7 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.92.0 - Cross-Site Request Forgery CVE-2025-24533 4.3 Rafie Muhammad November 9, 2024
8 Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows <= 3.70.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via metaslider Shortcode CVE-2024-3285 6.4 wesley (wcraft) April 10, 2024
9 Appsero <= 1.2.1 - Missing Authorization 4.3 December 16, 2022
10 Appsero <= 1.2.0 - Cross-Site Request Forgery CVE-2022-47150 4.3 István Márton December 14, 2022
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation