The Master Slider Pro plugin contains an improper neutralization of user input that allows a DOM‑based cross‑site scripting attack. Unsanitized data from the plugin is injected into a web page’s Document Object Model, permitting an attacker to execute arbitrary JavaScript in the context of any user who visits a affected page. This flaw could be leveraged to steal session cookies, deface the site, or perform credential phishing, thereby compromising confidentiality, integrity, and availability of the site data.

The vulnerability exists in any WordPress installation that uses the averta Master Slider Pro plugin version 3.7.12 or earlier. All earlier releases up through the last fixed version remain at risk, regardless of the WordPress core version.

The common vulnerability scoring system assigns a 6.5 score, indicating moderate severity. The EPSS score is below 1%, suggesting that zero‑day exploitation is unlikely and that the flaw has not yet been widely observed. It is not listed in the CISA KEV catalog. Because the flaw is DOM‑based, it requires a victim to load a page containing the plugin; an attacker can then inject malicious JavaScript that runs with the victim’s privileges. The exploitation path is local to the victim’s browser and does not require direct remote code execution on the server.