Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RichardHarrison Carousel-of-post-images carousel-of-post-images allows DOM-Based XSS.This issue affects Carousel-of-post-images: from n/a through <= 1.07.
Published: 2025-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Carousel‑of‑post‑images plugin for WordPress contains a DOM‑based XSS flaw that originates from improper input neutralization during page rendering. An attacker can inject malicious JavaScript that runs in the context of a site visitor, allowing cookie theft, session hijacking, or deceptive content injection. This weakness is identified as CWE‑79 and is present in all releases up to and including version 1.07.

Affected Systems

The flaw affects WordPress installations that use the Carousel‑of‑post‑images plugin from the initial release through version 1.07. The vendor listed for this CVE is RichardHarrison, and no patch version is specifically identified in the CNA data beyond that all earlier releases are vulnerable. Sites running affected versions are at risk until the plugin is updated.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the medium severity range. The EPSS score is less than 1 %, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Despite the low exploitation likelihood, an attacker could still target high‑traffic sites by embedding the XSS payload in a harmless‑looking link or form field. The most likely vector is a DOM‑based approach that requires a user to load a page that contains manipulated plugin output, making the attack easier from a client‑side perspective.

Generated by OpenCVE AI on April 30, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Carousel‑of‑post‑images plugin to the newest available version that has fixed DOM‑based XSS or remove the plugin if it is no longer needed.
  • If an upgrade is not immediately possible, sanitize all user‑supplied content passed to the plugin with WordPress sanitized functions such as wp_kses or esc_html to prevent script injection.
  • Limit the capability of roles that can add or edit carousel content so that only trusted administrators can modify the fields susceptible to injection.
  • Implement a content‑security‑policy that blocks inline scripts or restricts script sources to trusted origins.

Generated by OpenCVE AI on April 30, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12006 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RichardHarrison Carousel-of-post-images allows DOM-Based XSS. This issue affects Carousel-of-post-images: from n/a through 1.07.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RichardHarrison Carousel-of-post-images allows DOM-Based XSS. This issue affects Carousel-of-post-images: from n/a through 1.07. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RichardHarrison Carousel-of-post-images carousel-of-post-images allows DOM-Based XSS.This issue affects Carousel-of-post-images: from n/a through <= 1.07.
Title WordPress Carousel-of-post-images <= 1.07 - Cross Site Scripting (XSS) Vulnerability WordPress Carousel-of-post-images plugin <= 1.07 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RichardHarrison Carousel-of-post-images allows DOM-Based XSS. This issue affects Carousel-of-post-images: from n/a through 1.07.
Title WordPress Carousel-of-post-images <= 1.07 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:40.089Z

Reserved: 2025-04-24T14:23:35.867Z

Link: CVE-2025-46536

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:49.984Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:44.957

Modified: 2026-04-23T15:30:11.920

Link: CVE-2025-46536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')