The stored cross‑site scripting vulnerability in the Elfsight Testimonials Slider plugin results from improper neutralization of user input during web page generation. When malicious data is stored and later rendered in testimonial slides, a user’s browser will execute injected scripts, potentially allowing an attacker to steal session cookies, deface content or redirect visitors. The flaw is a classic instance of CWE‑79, impacting the confidentiality, integrity, and availability of sites that rely on this plugin.

The vulnerability affects the WordPress plugin Elfsight Testimonials Slider up to and including version 1.0.1. Any WordPress installation that has this plugin installed and has not upgraded past that version is at risk. No other products or versions are listed as affected.

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation currently. The vulnerability is not present in the CISA KEV catalog. Exploitation would likely occur through a web form or admin area allowing plugin configuration, where malicious content is stored and subsequently displayed to visitors. Clients with the vulnerable plugin remain exposed to typical XSS attack consequences.