Improper neutralization of input during web page generation leads to a DOM‑based XSS vulnerability. An attacker can craft malicious input that is not sanitized by the Simple Owl Carousel plugin and that injects JavaScript into the page returned to users. The payload is executed in the victim’s browser, allowing the attacker to steal session cookies, deface content, or redirect the user to malicious sites. The weakness is a classic input‑validation flaw (CWE‑79).

WordPress sites that have installed PressTigers Simple Owl Carousel plugin version 1.1.1 or older are affected. The plugin is a carousel component that displays images, and the vulnerability applies to any website running these versions. WordPress users deploying the plugin must inspect their installations for these version numbers.

The CVSS score of 6.5 classifies the issue as medium severity, and the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. The vulnerability is listed as not being in CISA’s KEV catalog. The likely attack vector is a web interface that accepts untrusted input, enabling the injection of malicious JavaScript; the attacker does not require elevated privileges or authentication. Therefore, any user who visits a page served by the vulnerable plugin could be affected, making the risk significant for any publicly accessible site.