The vulnerability is an improper neutralization of user input during web page generation, which permits a reflected cross‑site scripting (XSS) attack. An attacker can inject arbitrary client‑side script through request parameters that the plugin does not properly encode or sanitize. If executed, this could allow theft of user session cookies, defacement of web pages, or redirection to malicious sites, compromising confidentiality and integrity of user data.

WordPress sites that use the Irshad A.Khan Cyber Slider plugin, specifically all releases from the initial build through version 1.1 inclusive.

The CVSS base score of 7.1 classifies the issue as high severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. Because the vulnerability is reflected, an attacker only needs to craft a malicious URL or form input that is echoed back in the HTML response; no authentication or advanced persistence is required. The plugin is not listed in the CISA KEV catalog, but sites that expose the vulnerable endpoint may still be susceptible to targeted attacks. Based on the description, it is inferred that an attacker can exploit this vulnerability by sending crafted request parameters that are echoed back unescaped, without requiring authentication or persistence. Applying a patch that eliminates the unescaped input handling is the most effective mitigation.