WP-Safety

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Security & Risk Analysis

wordpress.org/plugins/ml-slider

Slider, gallery, carousel plugin for WordPress. Build your image slider, video slider, post slider, YouTube slider, or WooCommerce product slider.

500K active installs v3.106.0 PHP 7.0+ WP 5.0+ Updated Mar 2, 2026
carousel-slidergalleryimage-sliderslidervideo-slider
94
A · Safe
CVEs total12
Unpatched0
Last CVEJun 13, 2025
Plugin page Download
Safety Verdict

Is Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Safe to Use in 2026?

Generally Safe

Score 94/100

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Jun 13, 2025Updated 1mo ago
Risk Assessment

The ml-slider plugin v3.106.0 presents a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices by utilizing prepared statements for all SQL queries and a high percentage of properly escaped output. Furthermore, the absence of external HTTP requests and the presence of nonce and capability checks are commendable. However, significant concerns arise from the large attack surface exposed through AJAX handlers. A substantial number of these (30 out of 44) lack proper authentication checks, creating a broad entry point for potential attacks. The presence of the `unserialize` function is also a red flag, especially when coupled with the taint analysis indicating flows with unsanitized paths, though no critical or high severity issues were found in the taint analysis itself.

The plugin's vulnerability history is deeply concerning, with 12 known CVEs, all of which are reported as patched. However, the types of past vulnerabilities, including Deserialization of Untrusted Data, CSRF, Missing Authorization, XSS, and Information Exposure, align with the static analysis findings and highlight recurring weaknesses. The prevalence of medium-severity vulnerabilities suggests a pattern of oversight in security implementation that, while not currently critical, can still lead to exploitable conditions if not meticulously managed. The last reported vulnerability in 2025 suggests the data might be forward-looking or historical.

In conclusion, while ml-slider v3.106.0 exhibits some good security practices, the high number of unprotected AJAX endpoints and the historical pattern of common vulnerability types necessitate careful consideration. The potential for exploitation through these unprotected entry points, combined with the presence of a dangerous function like `unserialize`, creates a notable risk. Continuous vigilance and prompt patching of any future vulnerabilities are essential for mitigating the overall risk associated with this plugin.

Key Concerns

  • Large attack surface without auth checks
  • Dangerous function: unserialize
  • Flows with unsanitized paths (taint analysis)
  • 1 High severity historical CVE (now patched)
  • 11 Medium severity historical CVEs (now patched)
Vulnerabilities
12

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
1 CVE in 2020
2020
2 CVEs in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
11

12 total CVEs

CVE-2025-5337medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter

Jun 13, 2025 Patched in 3.99.0 (1d)
CVE-2025-1203medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 2, 2025 Patched in 3.95.0 (37d)
CVE-2025-1062medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 2, 2025 Patched in 3.95.0 (47d)
CVE-2025-26763high · 7.2Deserialization of Untrusted Data

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.94.0 - Authenticated (Editor+) PHP Object Injection

Feb 14, 2025 Patched in 3.95.0 (13d)
CVE-2025-24533medium · 4.3Cross-Site Request Forgery (CSRF)

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.92.0 - Cross-Site Request Forgery

Nov 9, 2024 Patched in 3.92.1 (103d)
CVE-2024-3285medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows <= 3.70.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via metaslider Shortcode

Apr 10, 2024 Patched in 3.70.1 (1d)
CVE-2023-1473medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 - Reflected Cross-Site Scripting

Mar 20, 2023 Patched in 3.29.1 (309d)
WF-84003388-c47c-41db-8d2d-4643aa375a89-ml-slidermedium · 4.3Missing Authorization

Appsero <= 1.2.1 - Missing Authorization

Dec 16, 2022 Patched in 3.28.1 (699d)
CVE-2022-2823medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Plugin <= 3.27.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 14, 2022 Patched in 3.27.9 (496d)
WF-f5292c55-6445-4aec-b06e-6e625794d842-ml-slidermedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider <= 3.17.1 - Authenticated Stored Cross-Site Scripting

Aug 28, 2020 Patched in 3.17.2 (1243d)
CVE-2014-4846medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Plugin <= 2.5 - Cross-Site Scripting

Aug 1, 2014 Patched in 2.6 (3462d)
WF-d67cd96b-6fec-44db-be50-395bed199e9b-ml-slidermedium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Plugin <= 2.1.6 - Full Path Disclosure

Aug 1, 2014 Patched in 2.2 (3462d)
Code Analysis
Analyzed Mar 16, 2026

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
10 prepared
Unescaped Output
68
506 escaped
Nonce Checks
19
Capability Checks
23
File Operations
7
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserializereturn @unserialize( trim( $data ), array( 'allowed_classes' => false ) );admin\slideshows\Slideshows.php:397

SQL Query Safety

100% prepared10 total queries

Output Escaping

88% escaped574 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths
<metaslider.systemcheck.class> (inc\metaslider.systemcheck.class.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
30 unprotected

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Attack Surface

Entry Points47
Unprotected30

AJAX Handlers 44

authwp_ajax_notice_handleradmin\Notices.php:53
authwp_ajax_quickstart_adsadmin\Notices.php:60
authwp_ajax_ms_get_slideshowsadmin\routes\api.php:65
authwp_ajax_ms_list_slideshowsadmin\routes\api.php:66
authwp_ajax_ms_get_single_slideshowadmin\routes\api.php:67
authwp_ajax_ms_get_legacy_slideshowsadmin\routes\api.php:68
authwp_ajax_ms_get_previewadmin\routes\api.php:69
authwp_ajax_ms_delete_slideshowadmin\routes\api.php:70
authwp_ajax_ms_duplicate_slideshowadmin\routes\api.php:71
authwp_ajax_ms_save_slideshowadmin\routes\api.php:72
authwp_ajax_ms_search_slideshowsadmin\routes\api.php:73
authwp_ajax_ms_export_slideshowsadmin\routes\api.php:74
authwp_ajax_ms_import_slideshowsadmin\routes\api.php:75
authwp_ajax_ms_get_all_free_themesadmin\routes\api.php:78
authwp_ajax_ms_get_custom_themesadmin\routes\api.php:79
authwp_ajax_ms_get_theme_customizationadmin\routes\api.php:80
authwp_ajax_ms_set_themeadmin\routes\api.php:81
authwp_ajax_ms_import_imagesadmin\routes\api.php:84
authwp_ajax_ms_import_othersadmin\routes\api.php:85
authwp_ajax_ms_update_user_settingadmin\routes\api.php:88
authwp_ajax_ms_get_user_detailsadmin\routes\api.php:89
authwp_ajax_ms_update_all_slideshow_settingsadmin\routes\api.php:90
authwp_ajax_ms_update_single_slideshow_settingadmin\routes\api.php:91
authwp_ajax_ms_get_slideshow_default_settingsadmin\routes\api.php:92
authwp_ajax_ms_save_slideshow_default_settingsadmin\routes\api.php:93
authwp_ajax_ms_get_single_settingadmin\routes\api.php:96
authwp_ajax_ms_get_global_settingsadmin\routes\api.php:97
authwp_ajax_ms_update_global_settingsadmin\routes\api.php:98
authwp_ajax_ms_update_global_settings_singleadmin\routes\api.php:99
authwp_ajax_set_tour_statusadmin\routes\api.php:102
authwp_ajax_ms_get_image_ids_from_filenamesadmin\routes\api.php:103
authwp_ajax_ms_get_pro_settingsadmin\routes\api.php:108
authwp_ajax_ms_update_pro_settingsadmin\routes\api.php:109
authwp_ajax_update_slide_imageinc\slide\metaslide.class.php:24
authwp_ajax_create_image_slideinc\slide\metaslide.image.class.php:28
authwp_ajax_resize_image_slideinc\slide\metaslide.image.class.php:29
authwp_ajax_crop_position_image_slideinc\slide\metaslide.image.class.php:30
authwp_ajax_duplicate_slideinc\slide\metaslide.image.class.php:31
authwp_ajax_delete_slideml-slider.php:345
authwp_ajax_undelete_slideml-slider.php:346
authwp_ajax_permanent_delete_slideml-slider.php:347
authwp_ajax_quickstart_uploadml-slider.php:348
authwp_ajax_quickstart_slideshowml-slider.php:349
authwp_ajax_quickstart_slideshow_v2ml-slider.php:350

Shortcodes 3

[metaslider] ml-slider.php:302
[ml-slider] ml-slider.php:303
[metaslider_hide] ml-slider.php:304
WordPress Hooks 107
actionenqueue_block_editor_assetsadmin\Gutenberg.php:17
filtermetaslider_preview_stylesadmin\Gutenberg.php:19
actionadmin_enqueue_scriptsadmin\Notices.php:52
actionadmin_noticesadmin\Notices.php:55
actionmetaslider_admin_noticesadmin\Notices.php:57
actionmetaslider_quickstart_adsadmin\Notices.php:59
actioninitadmin\Pages.php:40
actionadmin_enqueue_scriptsadmin\Pages.php:43
actionload-toplevel_page_metaslideradmin\Pages.php:291
actionrest_api_initadmin\routes\api.php:1307
filtermetaslider_css_classesadmin\slideshows\Themes.php:756
filtermetaslider_css_classesadmin\slideshows\Themes.php:773
filtermetaslider_get_image_slideinc\slide\metaslide.image.class.php:25
filtermetaslider_html_purifier_configinc\slide\metaslide.image.class.php:26
actionmetaslider_save_image_slideinc\slide\metaslide.image.class.php:27
filtermetaslider_flex_slider_image_attributesinc\slide\metaslide.image.class.php:32
filterwp_get_attachment_image_attributesinc\slide\metaslide.image.class.php:1222
actionmetaslider_admin_table_beforeinc\slider\metaslider.class.php:33
actionmetaslider_admin_table_afterinc\slider\metaslider.class.php:34
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:31
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:32
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:33
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:34
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:35
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:36
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:37
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:38
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:39
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:40
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:41
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:42
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:43
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:44
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:47
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:51
filtermetaslider_cssinc\slider\metaslider.flex.class.php:54
filtermetaslider_cssinc\slider\metaslider.flex.class.php:55
filtermetaslider_cssinc\slider\metaslider.flex.class.php:56
filtermetaslider_cssinc\slider\metaslider.flex.class.php:57
filtermetaslider_css_classesinc\slider\metaslider.flex.class.php:58
filtermetaslider_flex_slider_parametersinc\slider\metaslider.flex.class.php:59
filtermetaslider_flex_slider_javascript_beforeinc\slider\metaslider.flex.class.php:67
filtermetaslider_nivo_slider_parametersinc\slider\metaslider.nivo.class.php:26
filtermetaslider_nivo_slider_parametersinc\slider\metaslider.nivo.class.php:28
filtermetaslider_css_classesinc\slider\metaslider.responsive.class.php:24
actionadmin_noticesml-slider.php:242
actionmetaslider_admin_noticesml-slider.php:244
actionadmin_headml-slider.php:313
actionadmin_headml-slider.php:314
actionadmin_menuml-slider.php:315
actionadmin_menuml-slider.php:316
actionadmin_bar_menuml-slider.php:317
actioninitml-slider.php:318
actioninitml-slider.php:319
actioninitml-slider.php:320
actioninitml-slider.php:321
actionadmin_initml-slider.php:322
actionadmin_footerml-slider.php:323
actionadmin_footerml-slider.php:324
actionadmin_post_metaslider_switch_viewml-slider.php:326
actionadmin_post_metaslider_delete_slideml-slider.php:327
actionadmin_post_metaslider_delete_sliderml-slider.php:328
actionadmin_post_metaslider_create_sliderml-slider.php:329
actionmedia_upload_vimeoml-slider.php:331
actionmedia_upload_youtubeml-slider.php:332
actionmedia_upload_post_feedml-slider.php:333
actionmedia_upload_layerml-slider.php:334
actionmedia_upload_external_urlml-slider.php:335
actionmedia_upload_local_videoml-slider.php:336
actionmedia_upload_external_videoml-slider.php:337
actionmedia_upload_custom_htmlml-slider.php:338
actionmedia_upload_tiktokml-slider.php:339
actionmedia_upload_folderml-slider.php:340
actionmedia_upload_post_imagesml-slider.php:341
actionmedia_upload_woocommerceml-slider.php:342
actionload-toplevel_page_metasliderml-slider.php:352
actionwidgets_initml-slider.php:367
filtermedia_upload_tabsml-slider.php:411
filtermedia_view_stringsml-slider.php:412
actionmedia_buttonsml-slider.php:413
filterplugin_row_metaml-slider.php:414
actionadmin_headml-slider.php:415
filterstyle_loader_tagml-slider.php:418
filterbody_classml-slider.php:421
actionplugins_loadedml-slider.php:3019
filtermetaslider_flex_slider_responsive_arrows_enablethemes\clarity\v1.0.0\theme.php:28
filtermetaslider_theme_cssthemes\ms-theme-base.php:66
filtermetaslider_slideshow_outputthemes\ms-theme-base.php:69
filtermetaslider_cssthemes\ms-theme-base.php:70
actionmetaslider_register_public_stylesthemes\ms-theme-base.php:79
filtermetaslider_flex_slider_parametersthemes\ms-theme-base.php:82
filtermetaslider_responsive_slider_parametersthemes\ms-theme-base.php:83
filtermetaslider_nivo_slider_parametersthemes\ms-theme-base.php:84
filtermetaslider_coin_slider_parametersthemes\ms-theme-base.php:85
filtermetaslider_flex_slider_parametersthemes\ms-theme-base.php:86
filtermetaslider_flex_slider_filmstrip_parametersthemes\ms-theme-base.php:89
filtermetaslider_flex_slider_responsive_arrows_enablethemes\nexus\v1.0.0\theme.php:28
filtermetaslider_flex_slider_responsive_arrows_prev_classthemes\nexus\v1.0.0\theme.php:29
filtermetaslider_flex_slider_responsive_arrows_next_classthemes\nexus\v1.0.0\theme.php:32
filtermetaslider_flex_slider_parametersthemes\precognition\v1.0.0\theme.php:36
filtermetaslider_flex_slider_parametersthemes\radix\v1.0.0\theme.php:40
filtermetaslider_responsive_slider_parametersthemes\radix\v1.0.0\theme.php:41
filtermetaslider_nivo_slider_parametersthemes\radix\v1.0.0\theme.php:42
filtermetaslider_flex_slider_parametersthemes\simply-dark\v1.0.0\theme.php:28
filtermetaslider_responsive_slider_parametersthemes\simply-dark\v1.0.0\theme.php:29
filtermetaslider_nivo_slider_parametersthemes\simply-dark\v1.0.0\theme.php:30
filtermetaslider_coin_slider_parametersthemes\simply-dark\v1.0.0\theme.php:31
Maintenance & Trust

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.0
Downloads33.2M

Community Trust

Rating92/100
Number of ratings730
Active installs500K
Alternatives

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Alternatives

Filmstrip Carousel

Filmstrip Carousel

filmstrip-carousel

A
100

A responsive 3D filmstrip/coverflow carousel for images and video. Built with Three.js & WebGL. Lightweight, fast, and customizable.

0 No CVEs
Smart Slider 3

Smart Slider 3

smart-slider-3

A
91

Responsive slider plugin to create sliders in visual editor easily. Build beautiful image slider, layer slider, video slider, post slider, and more.

800K 7 CVEs
Yoo Slider – Image Slider & Video Slider

Yoo Slider – Image Slider & Video Slider

yoo-slider

C
63

Craft a slider effortlessly with our WordPress plugin! Design image slider, video slider, carousel or even coverflow slider in seconds.

600 1 unpatched
Gulri Slider

Gulri Slider

gulri-slider

A
91

An elegant slider with multiple transitions and effects.

70 1 CVE
Rainbow Slider

Rainbow Slider

rainbow-slider

A
100

Turn any Elementor template into a fully responsive Swiper Slider. Supports Sections, Flexbox Containers, and CSS Grid.

10 No CVEs
Developer Profile

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Developer Profile

MetaSlider

2 plugins · 510K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
823 days
View full developer profile
Detection Fingerprints

How We Detect Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ml-slider/assets/metaslider/css/admin.css/wp-content/plugins/ml-slider/assets/metaslider/css/admin-slider-settings.css/wp-content/plugins/ml-slider/assets/metaslider/css/admin-theme-settings.css/wp-content/plugins/ml-slider/assets/metaslider/css/metaslider.css/wp-content/plugins/ml-slider/assets/metaslider/css/slick.css/wp-content/plugins/ml-slider/assets/metaslider/css/slick-theme.css/wp-content/plugins/ml-slider/assets/metaslider/js/admin.js/wp-content/plugins/ml-slider/assets/metaslider/js/admin-slider-settings.js+5 more
Script Paths
/wp-content/plugins/ml-slider/assets/metaslider/js/admin.js/wp-content/plugins/ml-slider/assets/metaslider/js/admin-slider-settings.js/wp-content/plugins/ml-slider/assets/metaslider/js/admin-theme-settings.js/wp-content/plugins/ml-slider/assets/metaslider/js/metaslider.js/wp-content/plugins/ml-slider/assets/metaslider/js/slick.js/wp-content/plugins/ml-slider/assets/metaslider/js/jquery.themepunch.min.js+1 more
Version Parameters
/wp-content/plugins/ml-slider/assets/metaslider/css/admin.css?ver=/wp-content/plugins/ml-slider/assets/metaslider/css/admin-slider-settings.css?ver=/wp-content/plugins/ml-slider/assets/metaslider/css/admin-theme-settings.css?ver=/wp-content/plugins/ml-slider/assets/metaslider/css/metaslider.css?ver=/wp-content/plugins/ml-slider/assets/metaslider/css/slick.css?ver=/wp-content/plugins/ml-slider/assets/metaslider/css/slick-theme.css?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/admin.js?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/admin-slider-settings.js?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/admin-theme-settings.js?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/metaslider.js?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/slick.js?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/jquery.themepunch.min.js?ver=/wp-content/plugins/ml-slider/assets/metaslider/js/jquery.themepunch.plugins.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
metasliderml-sliderms-slider-containermetaslider-layer-transition
HTML Comments
<!-- Slider<!-- Slider container --><!-- Slider Controls --><!-- Slider Pagination -->+1 more
Data Attributes
data-slide-iddata-transitiondata-delaydata-navigationdata-arrowsdata-bullets
JS Globals
metaslidermlSlidermetaslider_adminmetaslider_i18n
REST Endpoints
/wp-json/metaslider/v1/sliders/wp-json/metaslider/v1/sliders/(?P<id>\d+)/wp-json/metaslider/v1/images/wp-json/metaslider/v1/settings
Shortcode Output
[metaslider id=
FAQ

Frequently Asked Questions about Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider