The Slidorion plugin contains a stored cross‑site scripting flaw that allows an authenticated attacker with administrator‑level privileges to inject arbitrary scripts into the plugin’s administrative settings. The injected code is stored and rendered on any page that displays a Slidorion‑controlled widget, causing it to execute in the browsers of all users who view the affected page. The impact includes the ability to deface the site, deliver phishing content, or serve malicious payloads, thereby compromising the integrity, confidentiality, and availability of user sessions. This weakness is a classic example of CWE‑79, where insufficient input validation and output escaping create a persistent XSS vector.

WordPress sites that have the Slidorion plugin installed from the Hollandben development team, versions up to and including 1.0.2. The vulnerability affects multi‑site WordPress installations or any installation where the WordPress filter unfiltered_html has been disabled, allowing the malicious script to bypass default sanitization.

The CVSS base score of 4.4 indicates a moderate severity, while the EPSS probability of less than 1% suggests that exploitation is currently rare but not impossible. The attacker must first authenticate to the WordPress dashboard with an account that has administrator or higher privileges, then navigate to the Slidorion settings page to inject the script. Because the vulnerability is only exploitable on sites without the unfiltered_html capability or on multi‑site configurations, the attack surface is relatively narrow, limiting widespread impact even if malicious actors are present.