Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS.This issue affects Owl Carousel WP: from n/a through <= 2.2.2.
Published: 2026-01-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

An improper neutralization of input within the Owl Carousel WP plugin allows a stored cross‑site scripting attack. An attacker can inject malicious script that will execute in the browsers of anyone who views the affected content, potentially leading to cookie theft, defacement, or redirection. The weakness lies in the failure to encode or escape user input before rendering it in the page, aligning with CWE‑79.

Affected Systems

The vulnerability affects the Imran Emu:Owl Carousel WP WordPress plugin for all versions from any released version up to and including 2.2.2. The plugin can be installed on any WordPress website that includes it.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity, while the EPSS score of less than 1% suggests that even though the flaw exists, it is not currently widely exploited. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves an attacker who can add or modify content through the plugin’s interface—typically someone with administrative or privileged access. The stored XSS payload would then be delivered to all visitors of the affected page, but exploitation requires success in the content entry phase.

Generated by OpenCVE AI on April 16, 2026 at 07:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Owl Carousel WP plugin to a version newer than 2.2.2 or remove the plugin entirely
  • If upgrading is not immediately possible, limit the users who can add or edit content via the plugin to trusted administrators only
  • Configure a web application firewall or input‑filtering rule to block or sanitize script tags before they are stored

Generated by OpenCVE AI on April 16, 2026 at 07:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS.This issue affects Owl Carousel WP: from n/a through <= 2.2.2.
Title WordPress Owl Carousel WP plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:41.603Z

Reserved: 2026-01-07T12:21:40.879Z

Link: CVE-2026-22388

cve-icon Vulnrichment

Updated: 2026-01-27T20:09:21.197Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:32.590

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:00:11Z

Weaknesses