The Ui Slider Filter By Price plugin fails to properly neutralize user supplied content before embedding it into a page, which allows an attacker to inject JavaScript that executes in the victim’s browser. This reflected cross‑site scripting flaw can be used to steal session cookies, obtain credentials, or perform other malicious actions in the context of the site. The weakness is a classic example of input validation failure and is catalogued as CWE‑79.

All WordPress sites that have installed chenyenming’s Ui Slider Filter By Price plugin from any release through version 1.1 are potentially vulnerable. The flaw has not been fixed in any version up to and including 1.1, so any deployment of those releases is affected.

The CVSS score of 7.1 indicates high severity, but the EPSS value of less than 1% suggests a low chance of widespread exploitation at present. The vendor has not listed this issue in the CISA KEV database, reducing known attack prevalence. Typically, exploitation would involve an attacker crafting a malicious URL or input that exploits the plugin’s unfiltered output when the slider interface is rendered – a scenario that is inferred from the description of improper input neutralization.