CVE-2025-39573: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in teastudio.pl WP Posts Carousel plugin affecting versions through 1.3.10. The vulnerability was discovered on April 16, 2025, and has been assigned CVE-2025-39573. This security issue affects WordPress installations using the WP Posts Carousel plugin (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires contributor-level privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The impact includes potential compromise of confidentiality, integrity, and availability at a low level for each aspect (Patchstack).

The vulnerability has been fixed in version 1.3.11 of the WP Posts Carousel plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue has a low severity impact and is unlikely to be exploited, but updating is still recommended as the best mitigation strategy (Patchstack).