The vulnerability is a stored cross‑site scripting flaw that results from improper neutralization of input during web page generation. An attacker can insert malicious scripts into the carousel data that will execute when any user visits a page displaying that carousel. This can lead to session hijacking, defacement, content theft, or the delivery of malware to visitors, compromising the integrity and confidentiality of the site and its users.

WordPress installations that use the Themepoints Carousel Ultimate plugin of version 1.8 or earlier are affected. Any site running the plugin without an upgrade to a newer version of the plugin is vulnerable.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to supply content to the carousel, which typically requires write access to any page or post that hosts the carousel. This could be achieved by a malicious administrator, by a compromised user account with editing privileges, or potentially by an external user if the plugin accepts input from untrusted sources. Once the malicious content is stored, any visitor to a page that renders the carousel will execute the injected script.