Improper neutralization of input during web page generation allows an attacker to inject arbitrary scripts into the HTML returned to the victim. The vulnerability exists in the MG Parallax Slider plugin for WordPress, affecting all releases up to and including version 1.0. An attacker can craft a URL that contains malicious JavaScript in a query parameter or form field, which is then reflected in the page without proper escaping. This reflected Cross‑Site Scripting can lead to session hijacking, credential theft, defacement, or delivery of malware to unsuspecting users. The weakness is classified as CWE‑79.

Affected systems include WordPress sites that have installed the MG Parallax Slider plugin developed by Mahesh Waghmare. Any site running the plugin in a version earlier than 1.1 (or currently at 1.0) is vulnerable.

The CVSS score of 7.1 indicates a high severity, and the EPSS score of < 1 % suggests a low exploitation probability at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote, requiring an end‑user to click a malicious link or submit a crafted form that includes the vulnerable parameter. Once triggered, the victim’s browser executes the attacker’s JavaScript, enabling various malicious actions unless mitigated.