The Quick Interest Slider plugin for WordPress is vulnerable to stored cross‑site scripting because the loan‑amount and loan‑period parameters are stored without proper sanitization and output escaping. An unauthenticated attacker can insert arbitrary script payloads into these fields, which persist in the database and are later rendered when a user requests the page. When a victim visits that page, the injected script executes in the victim’s browser context, giving the attacker the ability to run client‑side code.

The flaw applies to all releases of Quick Interest Slider developed by aerin up to and including version 3.1.5. Any WordPress site that has one of those versions installed is affected.

The advisory provides a CVSS v3 base score of 7.2, indicating high severity. No EPSS score is supplied and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires no authentication; an attacker only needs to submit malicious input through the loan parameters and ensure that a user later views a page that processes and renders the stored data. Because the payload is executed in the browser of anyone who views the page, the risk is significant for any site that trusts the plugin’s content rendering. The lack of exploitable models in public exploits means that the operational threat is theoretical, but the high CVSS and ease of exploitation warrant prompt mitigation.