radSLIDE, a WordPress plugin developed by radicaldesigns, suffers from a Missing Authorization vulnerability (CWE‑862). The flaw allows an attacker with sufficient access to the slider creation interface to inject arbitrary script code that is stored and rendered in subsequent page loads. The stored Cross‑Site Scripting can be leveraged to steal user sessions, deface content, or execute further malicious actions within the context of the victim site. The primary impact is the ability for an attacker to execute arbitrary client‑side code on any site that views the affected sliders.

Known affected products include the radSLIDE plugin for WordPress, version 2.1 and all releases prior to that. The vulnerability is present in all builds from the earliest documented release up to and including 2.1, as specified by the vendor’s affected‑version range. WordPress sites that have installed radSLIDE without upgrading beyond 2.1 are potentially exposed.

The CVSS base score of 6.3 indicates moderate severity, and the EPSS value of less than 1% suggests a low current exploitation probability in the wild. The vulnerability is not listed in the CISA KEV catalog, further supporting a low exploitation likelihood. However, the attack surface is still significant on sites that use the plugin and rely on slider content that is publicly visible. It is inferred that the attacker would target the slider administration area, requiring an authenticated user with sufficient privileges. Once the stored script is injected, any visitor to the impacted page will execute the code.