Impact
The vulnerability allows authenticated users with Contributor-level permissions to inject arbitrary JavaScript into the 'alwaysauto' attribute of the Slideshow Gallery LITE shortcode. The plugin fails to sanitize or escape this attribute, resulting in stored XSS that executes in any browser that views the affected page. An attacker could hijack sessions, steal credentials, or execute other malicious actions within the site context. The weakness corresponds to CWE-79, a classic cross‑site scripting flaw.
Affected Systems
This flaw exists in all releases of the Slideshow Gallery LITE WordPress plugin up to and including version 1.8.5, as supplied by Contrid. Any site running those versions is at risk; newer releases are not affected.
Risk and Exploitability
With a CVSS score of 6.4 the severity is medium. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV, indicating low current exploitation pressure. However, the attack vector requires an authenticated Contributor account or higher, so compromise of an account or use of social‑engineering to gain elevated privileges could enable exploitation. The stored nature of the XSS means injected content will persist and affect all future page views by any user.
OpenCVE Enrichment