The Content Grid Slider plugin contains an Improper Neutralization of Input during web page generation, resulting in a reflected cross‑site scripting vulnerability. An attacker can embed malicious scripts into a URL that, when accessed by a user, execute in the victim’s browser with the same privileges as the user. This can lead to session hijacking, data theft, defacement or the initiation of further attacks against the site or its visitors. The weakness is catalogued as CWE‑79 and does not allow remote code execution beyond the browser sandbox, but it has significant confidentiality and integrity implications for any user who clicks a crafted link.

The vulnerability affects the councilsoft Content Grid Slider WordPress plugin. All installed versions from an unspecified earliest release up to and including version 1.5 are vulnerable. Users running any of these versions should check and update the plugin.

The CVSS score of 7.1 reflects a moderate‑high severity, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread or confirmed exploitation yet. The most likely attack vector is a web‑based one: an attacker creates a malicious URL and persuades a victim to click it or injects it into a page that the victim will visit. If the victim’s browser executes the script, the attacker can perform actions that appear to come from the victim.