A Cross‑Site Request Forgery vulnerability exists in the Bhaskar Dhote Post Carousel Slider plugin that allows an attacker to store malicious scripts within the site’s content. By exploiting the lack of CSRF protection on forms that submit carousel content, an attacker can cause arbitrary JavaScript to be stored and later executed in the browsers of any visitor who loads the affected carousel. This leads to potential theft of session cookies, credential compromise, or other malicious actions as the victim. The weakness is identified as CWE‑352, which denotes missing or ineffective CSRF defenses.

The flaw affects all installations of the Post Carousel Slider plugin with a version through 2.0.1. The vendor listed is Bhaskar Dhote. No specific sub‑version ranges beyond <= 2.0.1 are provided, so all releases in that range are considered vulnerable.

The vulnerability carries a CVSS score of 7.1, indicating a high impact potential. The EPSS score is reported as < 1%, suggesting a low probability of exploitation at present, but the lack of verification from CISA KEV does not diminish the risk. Based on the description, the likely attack vector is a web‑based CSRF attempt that triggers a harmless form submission which stores malicious payloads; an attacker can embed a link or image that forces the site to process the attacker's input under the victim's credentials. The high CVSS score combined with the ease of generating CSRF requests means that once the vulnerability is discovered, an attacker can potentially compromise many users before mitigation.