The vulnerability is an improper neutralization of input during web page generation that allows stored Cross‑Site Scripting (XSS). An attacker could inject malicious scripts that are stored on the WordPress site and then executed in the browsers of any user viewing the affected content. This could lead to session hijacking, defacement, phishing, or the execution of arbitrary code in the victim’s browser, compromising the confidentiality, integrity, and trustworthiness of the web application.

The affected system is the WordPress WP Featured Content Slider plugin, provided by IWEBIX. All installations of WP Featured Content Slider version 2.6 or earlier are vulnerable. No specific sub‑versions are listed; the issue affects all releases up to and including 2.6.

The CVSS score of 5.9 reflects a moderate severity for a stored XSS flaw. The EPSS score of less than 1 % indicates a very low but non‑zero likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack is likely to be local to users who visit the iframe‑embedded slider content, but an attacker would need to find a way to inject and store payloads in the slider’s database entries. Once stored, the script executes in the context of any visitor, allowing cross‑site attacks.