The vulnerability is an improper neutralization of input during web page generation, enabling attackers to inject malicious scripts via the Simple Text Slider plugin’s content fields. This results in a stored cross‑site scripting vector that can run arbitrary JavaScript when other users view the affected page, potentially allowing session hijacking, defacement, or redirection to phishing sites. The weakness is identified as CWE‑79, indicating inadequate input validation and output encoding.

The issue affects the WordPress plugin Simple Text Slider from w1zzard, versions from the earliest available through 1.0.5 the latest release at the time of the advisory. Any WordPress site that has this plugin installed and has not applied a patch to a newer version is susceptible.

The CVSS score of 6.5 classifies the vulnerability as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation under current public information, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by submitting malicious markup into the slider content, which is persisted and rendered for all visitors. The attack path is largely local with regard to site administration (i.e., any user who can add or edit slider content could inject scripts).