The WordPress Logo Slider plugin suffers from a stored cross‑site scripting flaw that allows attackers to inject arbitrary JavaScript into slide content that is not neutralized when displayed on a page. This can lead to client‑side attacks such as session hijacking, defacement, or other malicious actions performed in the browsers of visitors who view the affected slider. The vulnerability is categorized as CWE‑79 and does not involve escalation of privileges on the WordPress host. The impact is limited to the confidentiality, integrity, and availability of end‑user sessions and does not affect the server or broader site functionality. Based on the description, it is inferred that the attacker must be able to submit or edit slide content to exploit the flaw. This issue affects all releases of the plugin up through version 5.1.1.

All releases of LogicHunt’s Logo slider plugin up to and including version 5.1.1 are vulnerable. The product is a WordPress plugin available in the official plugin repository and can be installed in any WordPress site that uses one of these versions.

The CVSS score of 5.9 indicates moderate severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker submitting malicious code through the plugin’s slide configuration interface; this payload is stored in the database and rendered on subsequent page loads, where it executes in a visitor’s browser. This stored payload can affect any user who views the compromised slider after the attacker has injected it. The exploitation requires persistence of the malicious data, typically through administrative access to slide editing, and operates entirely within the client’s browser context.