The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to inject malicious script content into the NV Slider post‑insertion process, resulting in stored cross‑site scripting. The weakness is identified as CWE‑352, which enables the attacker to convey forged requests that are authenticated against the target site. The stored XSS can then execute in the browsers of any visitor who views the affected slider, potentially exfiltrating credentials, defacing content, or loading additional malware.

WordPress sites that have installed the ryscript NV Slider plugin version 1.6 or earlier are affected. The product is the NV Slider plugin published by ryscript; all installations from the original release up to and including version 1.6 carry the flaw.

The CVSS score of 7.1 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests that, although exploits are possible, they are currently unlikely to be widely deployed. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker hosts a malicious link or page that tricks an authenticated user of the victim site into visiting it, which then submits a forged request to the NV Slider endpoint; the resulting stored script is injected into the slider content and runs for all subsequent site visitors.