Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-delivered reflected XSS needs no attacker auth (PR:N) but a victim click (UI:R); script runs cross-context (S:C) with limited C/I/A impact typical of XSS.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS.
This issue affects Slider Revolution: from 7.0.0 through 7.0.16.
AnalysisAI
Reflected cross-site scripting in ThemePunch Slider Revolution (versions 7.0.0 through 7.0.16), a widely deployed premium WordPress slider/visual-builder plugin, lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is marked Changed with low impact across confidentiality, integrity, and availability, successful exploitation can lead to session hijacking, defacement, or actions performed in the victim's authenticated context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires victim user interaction (CVSS UI:R): the target must open an attacker-crafted link/request carrying the XSS payload in a Slider Revolution front-end or admin parameter, so it cannot be triggered silently or fully automatically. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L): network-reachable, low complexity, and no privileges required, which raises exposure, but exploitation depends on user interaction (UI:R) - a victim must click a malicious link - which meaningfully limits mass, automated abuse. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target WordPress site with a malicious JavaScript payload embedded in a Slider Revolution request parameter and delivers it to a victim (e.g., a logged-in administrator) via phishing email or a malicious link. When the victim clicks the link, the unsanitized parameter is reflected into the page and the script executes in their browser, allowing session/cookie theft or actions in their authenticated context. … |
| Remediation | Update Slider Revolution to a release newer than 7.0.16 (a version above the affected range published by ThemePunch/Patchstack); an exact patched version number was not provided in the input, so verify the current fixed release via the vendor and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/revslider/vulnerability/wordpress-slider-revolution-plugin-7-0-16-cross-site-scripting-xss-vulnerability before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations for Slider Revolution deployments and current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41323
GHSA-9pp5-gx3c-vjc2