The Slippy Slider plugin for WordPress contains a stored cross‑site scripting flaw in its 'slippy-slider' shortcode. The plugin fails to sanitize or escape user‑supplied attributes, allowing an authenticated user with contributor or higher privileges to embed arbitrary JavaScript into the shortcode content. When a page containing the injected shortcode is loaded, the malicious script will run in the context of that page, potentially defacing content, stealing credentials, or performing other client‑side attacks. This weakness is classified as Web Input Validation/Cross‑Site Scripting (CWE‑80).

This flaw affects the mitegvg Slippy Slider – Responsive Touch Navigation Slider plugin for WordPress in all releases up to and including version 2.0. Sites running any of these versions of the plugin are vulnerable if an authenticated contributor or higher role is present. No specific PHP or platform versions are listed in the advisory, so the issue applies to all WordPress environments hosting the affected plugin.

The CVSS base score of 5.4 indicates moderate severity, primarily due to the need for an authenticated user with contributor or higher privileges to inject payloads. The EPSS score is below 1%, suggesting the likelihood of public exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the absence of sanitization means any user who authenticates with sufficient rights can inject scripts that will execute for all visitors who view the affected page. Because the vulnerability is stored, the malicious code persists until the plugin is upgraded or removed.