Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeannot Muller flickr-slideshow-wrapper flickr-slideshow-wrapper allows Stored XSS.This issue affects flickr-slideshow-wrapper: from n/a through <= 5.4.6.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to store malicious script code in the plugin’s data, which is then executed when a browser displays a slideshow. If exploited, a malicious payload could run in the context of a site visitor’s browser, potentially hijacking sessions, stealing credentials, defacing pages, or enabling further attacks. Based on the description, it is inferred that any user who views a slideshow could be affected, though the exact downstream damage is not detailed in the CVE data.

Affected Systems

Jeannot Muller flickr-slideshow-wrapper plugin is vulnerable in all releases from the earliest available version through version 5.4.6 inclusive.

Risk and Exploitability

The CVSS score of 7.1 signifies a high severity vulnerability, while the EPSS score of less than 1% indicates a low probability of exploitation in the current landscape. It is not listed in the CISA KEV catalog. The likely attack vector is web-based; an attacker would need to inject malicious code through any input that the plugin accepts (e.g., creating or editing a slideshow), after which the code is stored and served to users. Because the vulnerability is stored, any visitor to the affected site could unintentionally execute the injected payload.

Generated by OpenCVE AI on May 1, 2026 at 09:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the flickr-slideshow-wrapper plugin to the latest available version that contains the fix (any release newer than 5.4.6).
  • If an update is not immediately possible, disable or remove the plugin’s slideshow functionality to eliminate the stored payload route.
  • Implement a Content Security Policy that limits script execution to trusted origins, thereby reducing the impact of any residual XSS code.

Generated by OpenCVE AI on May 1, 2026 at 09:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11631 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeannot Muller flickr-slideshow-wrapper allows Stored XSS. This issue affects flickr-slideshow-wrapper: from n/a through 5.4.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeannot Muller flickr-slideshow-wrapper allows Stored XSS. This issue affects flickr-slideshow-wrapper: from n/a through 5.4.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeannot Muller flickr-slideshow-wrapper flickr-slideshow-wrapper allows Stored XSS.This issue affects flickr-slideshow-wrapper: from n/a through <= 5.4.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeannot Muller flickr-slideshow-wrapper allows Stored XSS. This issue affects flickr-slideshow-wrapper: from n/a through 5.4.6.
Title WordPress flickr-slideshow-wrapper Plugin <= 5.4.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.838Z

Reserved: 2025-02-21T16:45:34.057Z

Link: CVE-2025-27309

cve-icon Vulnrichment

Updated: 2025-04-17T17:44:31.068Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:36.720

Modified: 2026-06-17T09:03:22.600

Link: CVE-2025-27309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')