The vulnerability is a reflected XSS flaw caused by improper neutralization of user‑controlled input during page rendering. An attacker can craft a request containing malicious scripts that are reflected back in the page served by the Flexo Slider plugin. If a user visits the crafted URL or interacts with the page, the injected code executes in the victim's browser, potentially compromising session cookies, redirecting to phishing sites or executing arbitrary actions under the victim's identity. This falls under CWE‑79 and represents a serious threat to confidentiality, integrity, and availability of authenticated users.

The flaw affects all installations of the Flexo Slider plugin for WordPress up to and including version 1.0013. The plugin is distributed by flexostudio and is commonly used to embed sliders in WordPress sites. Any host running a vulnerable version is susceptible, regardless of the site’s broader WordPress configuration. The issue persists across all WordPress core versions that support the plugin; the plugin itself does not apply input sanitization to the parameters that generate slider output.

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1 % suggests the likelihood of exploitation in the wild is currently low. The vulnerability is not yet recorded in CISA’s Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by sending a crafted URL or form input that the plugin processes and reflects back to the user's browser. Because the attack vector is web‑based and does not require privileged access, the risk is significant for any site exposed to the internet that has the plugin installed.