The vulnerability is an Improper Neutralization of Input during Web Page Generation, classified as Cross‑Site Scripting, that allows an attacker to inject malicious scripts into the output of the LambertGroup AllInOne Content Slider plugin. Because the script is reflected back to the victim without adequate sanitization, a user who is tricked or lured into visiting a crafted URL can execute arbitrary code in the victim’s browser.

All installations of the WordPress plugin LambertGroup - AllInOne - Content Slider from its inception through version 3.8 are impacted. This includes every site that has remained on or below this version and has not applied a later update.

The CVSS score of 7.1 indicates a high impact potential, while the EPSS score of less than 1% suggests that, up to this point, exploitation has not been widely observed in the wild. The vulnerability is not listed in CISA’s KEV catalog, further indicating that it has not yet been leveraged by known threat actors. Attackers can exploit the flaw by composing a malicious URL that includes script payloads targeting the unescaped parameter handling in the plugin; no special privileges are required beyond the victim’s browser session. Once executed, the payload can steal session cookies, deface the site, or redirect the user to malicious domains.