The Multi Item Responsive Slider WordPress plugin contains a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation on the mioptions.php page. An unauthenticated attacker can craft a malicious link that, when followed by a site administrator using an authenticated session, causes the server to process a forged request that updates plugin settings. This update can embed malicious JavaScript, resulting in stored Cross‑Site Scripting that will execute in the browsers of all visitors to the site.

All releases of the Multi Item Responsive Slider plugin up to and including version 1.0 are vulnerable. Any WordPress installation that has this plugin installed with a version in that range, and where an administrator account has the ability to visit the mioptions.php page, will be affected. Sites that have upgraded beyond 1.0 or that have removed the plugin are no longer at risk.

The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1 % shows that current exploitation activity is very low, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to entice an administrator into clicking a crafted URL; once that condition is met, the CSRF request is executed and the malicious script stored. While the immediate threat is bounded by the need for social engineering, the resulting stored XSS can lead to session hijacking, credential theft, or other downstream attacks against site users.