Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS.This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that allows arbitrary JavaScript execution in visitors’ browsers.
Action: Immediate Update
AI Analysis

Impact

The affected WordPress plugin does not neutralize user‑supplied content before inserting it into web pages, creating a DOM‑based cross‑site scripting flaw. An attacker can inject malicious JavaScript that runs when a visitor loads the page.

Affected Systems

Any WordPress installation that uses the subhansanjaya "Carousel Horizontal Posts Content Slider" plugin on a version up to and including 3.3.2 is vulnerable. No further version precision is provided by the CNA.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests that widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a malicious input added to the plugin’s content area that is then reflected in a browser context; an attacker would need to target a user who views the affected page. Given the nature of DOM‑based XSS, exploitation requires the victim to load the content, making it a low‑to‑moderate likelihood attack under present conditions.

Generated by OpenCVE AI on April 18, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Carousel Horizontal Posts Content Slider plugin to the latest version (≥ 3.3.3 if available).
  • If an update is not immediately possible, disable the plugin until the fix is deployed.
  • Until a patch is available, restrict content editing privileges so that only trusted administrators can add content that may be rendered by the plugin.

Generated by OpenCVE AI on April 18, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS.This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2.
Title WordPress Carousel Horizontal Posts Content Slider plugin <= 3.3.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:34.015Z

Reserved: 2026-01-07T12:21:19.919Z

Link: CVE-2026-22347

cve-icon Vulnrichment

Updated: 2026-01-27T20:36:45.945Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:31.210

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses