The vulnerability is an Improper Control of Generation of Code, allowing attackers to inject malicious code into the GS Testimonial Slider plugin. This flaw, classified as CWE‑94, can enable arbitrary code execution if an attacker can manipulate the content that the plugin processes. The impact is potentially severe because injected code may run with the privileges of the web application host, compromising the entire WordPress site.

The affected product is GS Plugins GS Testimonial Slider for WordPress, with all releases from the earliest version up through version 3.2.9 vulnerable. Users of this plugin on their WordPress installations should verify the installed version and note that any instance running 3.2.9 or earlier is vulnerable.

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the injection can be triggered through user‑submitted content fields within the testimonial slider, meaning that authenticated users able to add or edit testimonials may be able to inject code. No explicit exploitation details are provided, so the exact attack vector is inferred from normal usage of the plugin.