The Slides & Presentations plugin contains a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation. An attacker who can supply a malicious slide can embed script code that is subsequently executed in the browsers of any user who views the slide, potentially allowing session hijacking, defacement, or arbitrary code execution in the context of the visitor.

This vulnerability impacts the Ella Van Durpe Slides & Presentations WordPress plugin, affecting all releases from any initial version up through 0.0.39. The plugin is available from the official WordPress plugin repository and is installed within a WordPress site.

The CVSS score of 6.5 indicates moderate severity. With an EPSS score of <1%, the likelihood of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is through the slide creation or editing interface, where an attacker can inject malicious input that becomes stored and later rendered in a web page. Because the plugin stores the content server‑side, the flaw can be exercised by any user with access to the slide management interface, potentially without authentication, depending on the site's configuration.