Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel Post Carousel & Slider post-types-carousel-slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through <= 1.0.4.
Published: 2025-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are reflected back to the victim’s browser. If executed, this can lead to execution of arbitrary JavaScript in the context of the site, enabling credential theft, session hijacking, or defacement. The weakness is identified as a Cross‑Site Scripting flaw (CWE‑79).

Affected Systems

Patel’s Post Carousel & Slider plugin for WordPress is affected in all releases up through version 1.0.4. Any site running one of these versions is vulnerable.

Risk and Exploitability

With a CVSS score of 7.1, the flaw presents medium‑to‑high risk, but the EPSS score of less than 1% suggests it is currently exploited infrequently. The attack vector is a reflected XSS scenario, likely triggered by visitors clicking a crafted URL or submitting input that is echoed without proper escaping. No authentication is required; simply being a browser visitor is enough to trigger the exploitation path. Because the vulnerability is not listed in the CISA KEV catalog, there is no known widespread exploitation campaign against it at this time.

Generated by OpenCVE AI on May 1, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post Carousel & Slider plugin to the latest available version that removes the unsanitized input handling.
  • If an update is not immediately possible, disable or uninstall the plugin to eliminate the vulnerability from the active site.
  • Implement a Content Security Policy that restricts script execution to trusted sources, reducing the risk of successful script injection even if the flaw remains.

Generated by OpenCVE AI on May 1, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2965 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tarak Patel Post Carousel & Slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through 1.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tarak Patel Post Carousel & Slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel Post Carousel & Slider post-types-carousel-slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through <= 1.0.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tarak Patel Post Carousel & Slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through 1.0.4.
Title WordPress Post Carousel & Slider plugin <= 1.0.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:38:33.673Z

Reserved: 2025-01-07T21:04:32.544Z

Link: CVE-2025-22750

cve-icon Vulnrichment

Updated: 2025-01-15T18:55:59.319Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:37.610

Modified: 2026-06-17T08:49:46.770

Link: CVE-2025-22750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:45:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')