The vulnerability is a Classic Stored Cross‑Site Scripting flaw that allows an attacker to inject malicious scripts into the WpF Ultimate Carousel plugin content. These scripts persist in the database and execute when legitimate users view the affected carousel, potentially defacing the site, hijacking sessions or delivering malware. The weakness is a classic client‑side injection flaw recorded as CWE‑79. The impact is mainly the compromise of confidentiality, integrity, and availability of site content for users who view the carousel, though it does not provide direct server‑side code execution.

The flaw affects all installations of the WordPress plugin WpF Ultimate Carousel from its inception through version 1.0.11, delivered by the vendor wpfreeware. Any site using WpF Ultimate Carousel up to and including 1.0.11 is vulnerable.

The CVSS score of 6.5 classifies the vulnerability as moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit this by inserting malicious scripts into carousel content if the site allows content creation by untrusted users. However, without broad exposure or automated exploitation tools, the overall risk remains low to moderate.