The vulnerability is a Cross‑Site Request Forgery that enables a stored cross‑site scripting payload to be injected into the site through the WIP WooCarousel Lite plugin. Once stored, the malicious code will execute for every visitor to the website, potentially compromising session data, defacing content, or exfiltrating sensitive information. The weakness is classified as a stored XSS triggered by a CSRF flaw (CWE‑352).

WordPress sites that have installed the WIP WooCarousel Lite plugin from its earliest release through version 1.1.7 are affected. Any site using a plugin version 1.1.7 or earlier may be vulnerable. The plugin is distributed by the user alexvtn.

The CVSS score of 7.1 reflects moderate to high severity, while the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack requires the ability to submit a crafted HTTP request to the site; it is likely that the request must be made in the context of a logged‑in user with content‑creation privileges, but this is inferred from typical CSRF patterns, as the CVE description does not explicitly state the required authentication level. An attacker could force such a user to click a malicious link or open a crafted page that sends the request, thereby inserting the stored XSS payload.