CVE-2025-5337
Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label ParameterThe Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 57,801 live websites that are affected by CVE-2025-5337.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 57,801 live websites (45% of MetaSlider for WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 128 versions ( 93% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jun 14, 2025
- Updated - Apr 8, 2026
Credits
- Asaf Mozes (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-5337 United States | 10,666 websites |
 Japan | 9,870 websites |
 Germany | 5,601 websites |
 Russia | 3,017 websites |
 France | 2,926 websites |
 Italy | 2,359 websites |
 GB | 2,119 websites |
 Poland | 1,724 websites |
 Netherlands | 1,514 websites |
 Vietnam | 1,376 websites |
Website Distribution by TLD
Number of websites using CVE-2025-5337| .com | 21,977 websites |
| .de | 3,627 websites |
| .jp | 2,807 websites |
| .ru | 2,500 websites |
| .org | 2,364 websites |
| .it | 1,631 websites |
| .net | 1,600 websites |
| .co.uk | 1,343 websites |
| .nl | 1,315 websites |
| .co.jp | 1,310 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-5337
Top websites that are affected by CVE-2025-5337. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | United States | *,*** | |
| **********.ru | Russia | **,*** | |
| *******.com | Japan | **,*** | |
| **************.ca |  Canada | **,*** | |
| **********.com | United States | **,*** | |
| *********************.pl | Poland | **,*** | |
| *********.**.jp | United States | **,*** | |
| ******.*******.**.jp | Japan | **,*** | |
| ******.*****.edu | United States | **,*** | |
| ********.**.jp | Japan | **,*** |
FAQ
CVE-2025-5337 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in MetaSlider for WordPress
A total of 57,801 websites have been identified as vulnerable to CVE-2025-5337, based on global website indexing conducted by WebTechSurvey.
The MetaSlider for WordPress is affected by the CVE-2025-5337 vulnerability.
MetaSlider for WordPress versions up to and including 3.98 are vulnerable to CVE-2025-5337.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0e6492e5-a506-4d77-96d2-08f700b6ee76?source=cve
- https://plugins.trac.wordpress.org/browser/ml-slider/tags/3.98.0/assets/metaslider/script.js#L11
- https://wordpress.org/plugins/ml-slider/#developers
- https://plugins.trac.wordpress.org/changeset/3309932/ml-slider/tags/3.99.0/assets/metaslider/script.js