Impact
A cross‑site scripting flaw exists the WP Google Review Slider plugin for WordPress versions 18.0 and earlier. The vulnerability allows an attacker to inject arbitrary JavaScript that executes in the browsers of any user who views the reviews slider. The flaw is exploitable without any authentication, and can compromise the confidentiality, integrity, or availability of the site’s front‑end by hijacking user sessions, stealing credentials, or defacing the page. Affected systems include WordPress sites running the jgwhite33 WP Google Review Slider plugin version 18.0 or earlier. The latest fixed version is 18.1, which removes the code path that permits the injection of untrusted script content. The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of real‑world exploitation at the time of analysis. This vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to arise from the plugin’s rendering of user‑supplied review content, which the plugin does not sanitize correctly, enabling unauthenticated payload injection via the review slider output.
Affected Systems
Affected systems are WordPress websites that have installed the jgwhite33 WP Google Review Slider plugin version 18.0 or earlier. The vulnerability exists in all releases up to and including 18.0, affecting sites that display the review slider component. Upgrading to version 18.1 or later patches the flaw.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of real‑world exploitation at the time of analysis. This vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to arise from the plugin’s rendering of user‑supplied review content, which the plugin does not sanitize correctly, enabling unauthenticated payload injection via the review slider output.
OpenCVE Enrichment