Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS.This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Magic Responsive Slider and Carousel WordPress plugin suffers from a reflected cross‑site scripting flaw (CWE‑79). An attacker can supply malicious input that is reflected in a rendered page, allowing arbitrary script code to execute in the victim’s browser. This vulnerability makes it possible for an attacker to read or modify data available in the browser session, potentially leading to information disclosure or content tampering.

Affected Systems

LambertGroup’s Magic Responsive Slider and Carousel WordPress plugin is affected from the first available version through 1.6. Any installation using a version at or below 1.6 is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1 % suggests a low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a browser‑based request containing malicious input, inferred because the flaw occurs during web page generation that includes user‑supplied data.

Generated by OpenCVE AI on April 30, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magic Responsive Slider and Carousel WordPress plugin to a version newer than 1.6 that incorporates the fix.
  • If no upgraded version is available, disable or remove the plugin to eliminate the reflected XSS surface.
  • Deploy a web application firewall rule that blocks suspicious XSS payloads originating from parameters used by the magic_carousel plugin.

Generated by OpenCVE AI on April 30, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lambertgroup
Lambertgroup magic Responsive Slider And Carousel Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Lambertgroup
Lambertgroup magic Responsive Slider And Carousel Wordpress
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS.This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6.
Title WordPress Magic Responsive Slider and Carousel WordPress plugin <= 1.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Lambertgroup Magic Responsive Slider And Carousel Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.902Z

Reserved: 2025-05-30T14:04:26.750Z

Link: CVE-2025-49043

cve-icon Vulnrichment

Updated: 2026-01-26T22:00:59.314Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:55.280

Modified: 2026-04-27T20:16:08.220

Link: CVE-2025-49043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:15:40Z

Weaknesses