The vulnerability is a reflected cross‑site scripting flaw that allows an attacker to inject arbitrary script into web pages displayed by WordPress sites using the UberSlider Classic plugin. The flaw resides in improper input neutralization during page generation and is identified as CWE‑79. An attacker who can manipulate inbound parameters can have the browser execute malicious JavaScript, potentially hijacking sessions, defacing content, or distributing further malware. The impact is limited to the victim’s browser but can be amplified if the malicious payload propagates through shared links or social media.

The affected vendor is LambertGroup, product UberSlider Classic, available as a WordPress plugin. Versions from the earliest releases through 2.5 are vulnerable; no specific patch versions are supplied in the data. Sites running any of these versions are at risk.

The CVSS score of 7.1 indicates a high severity with medium‑to‑high impact potential, while the EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low current exploitation probability. The attack vector is web‑based; the flaw can be triggered by a victim visiting a crafted URL or interacting with user input that is echoed back without encoding. No special privileges or authentication are required for exploitation. The risk is therefore moderate, with potential for widespread impact if attackers craft enticing links or social‑engineering campaigns.