The Vulnerability permits an attacker to inject malicious scripts that are persisted in the Carousel Ultimate plugin’s data storage. When a page containing a carousel is rendered, the stored input is not properly escaped or sanitized. An attacker who can add or modify carousel items could cause a victim’s browser to execute arbitrary JavaScript, which may lead to account hijacking, credential theft, or defacement. The weakness is a classic Input Validation flaw, mapped to CWE‑79.

WordPress sites that use the Themepoints Carousel Ultimate plugin, version 1.8 or earlier, are affected. Administrators who have access to create or edit carousel items will have the ability to deliver the malicious payload. Normal site visitors who view the site are at risk if the attack is successful.

The CVSS score of 5.9 indicates a moderate severity. The EPSS score of less than 1% suggests that current exploit prevalence is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to insert or edit carousel content, typically through authenticated access or by exploiting another vulnerability that grants write permissions. Once the payload is stored, any visitor to the affected page will execute the injected script, making the exploitation straightforward from a technical perspective but bounded by the user‑input channel.