Security readout for executives and security teams
Plain-English summary
A WordPress site using the fluid-responsive-slideshow plugin below 2.2.7 could reflect attacker-supplied script through the skin parameter. This can affect visitors who open a crafted link, with risk centered on browser-side session abuse, phishing, or content manipulation.
Executive priority
Treat this as a targeted website hygiene issue, not an emergency from the available evidence. Prioritize remediation on public WordPress sites, especially where authenticated users or customers interact with the affected plugin.
Technical view
CVE-2016-10975 is a reflected cross-site scripting issue in the WordPress fluid-responsive-slideshow plugin before 2.2.7. The published description identifies the skin parameter as the vulnerable input. The source bundle does not provide CVSS, CWE, exploit details, or affected CPEs.
Likely exposure
Exposure is likely limited to WordPress installations that installed fluid-responsive-slideshow and are running a version earlier than 2.2.7. Sites without the plugin, or with the plugin updated beyond the vulnerable range, are not indicated as affected by the provided sources.
Exploitation context
The CVE is not listed as KEV in the provided bundle, and no cited source in the bundle states active exploitation. Reflected XSS typically requires a victim to follow a crafted URL or otherwise reach attacker-controlled input in a browser context.
Researcher notes
The public record is sparse: the bundle names the vulnerable parameter and fixed version boundary, but does not include CVSS, CWE, CPEs, proof details, or confirmed exploitation. Avoid assuming broader WordPress impact beyond this plugin and version range.
Mitigation direction
- Upgrade fluid-responsive-slideshow to version 2.2.7 or later if available.
- Remove the plugin if it is unused or cannot be updated.
- Check WordPress.org plugin developer notes for current vendor guidance.
- Apply normal WordPress hardening around admin sessions and plugin maintenance.
Validation and detection
- Inventory WordPress sites for the fluid-responsive-slideshow plugin.
- Confirm installed plugin versions are 2.2.7 or later.
- Review web logs for unusual requests containing the skin parameter.
- Verify the plugin is absent where business owners say it is unused.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2016-10975 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://wordpress.org/plugins/fluid-responsive-slideshow/#developersCVE reference · x_refsource_MISC
- https://klikki.fi/adv/fluid_responsive_slideshow.htmlCVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
