Flexoslider, a WordPress plugin developed by marielav, contains an improper neutralization of input that triggers a reflected cross‑site scripting (XSS) flaw. The vulnerability arises when user‑supplied data is inserted into a generated web page without adequate escaping, allowing an attacker to inject arbitrary JavaScript. Successful exploitation can lead to session hijacking, credential theft, or defacement of the site, thereby compromising the confidentiality and integrity of site data and affecting any visitor who views the affected page.

The issue affects all installations of the Flexoslider plugin on WordPress with versions up through 1.0004. Any WordPress site that has a vulnerable addressable page via this plugin is potentially exposed; no specific operating system or WordPress core version is required, as the flaw resides entirely within the plugin code.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild at this time. Because the flaw is reflected, it can be triggered remotely by an attacker supplying a crafted URL or input field; based on the description, it is inferred that this is the attack vector. The vulnerability is not currently listed in CISA’s KEV catalog, which further reduces the likelihood of imminent widespread exploitation. Nonetheless, the impact of successful exploitation remains significant for any affected site.