Improper neutralization of input during page rendering allows an attacker to inject JavaScript that is stored in the EO4WP plugin’s data and executed when any site user visits affected pages. This stored XSS can be leveraged to steal authentication cookies, hijack user sessions, perform click‑jacking or redirect users to malicious sites, thereby compromising confidentiality, integrity, or availability of web content.

The vulnerability resides in the EO4WP ‘fw‑integration‑for‑emailoctopus’ plugin developed by Olaf Lederer. All releases from the initial appearance through version 1.0.8.1 are susceptible. Site administrators who have installed or are using any of these affected plugin versions are impacted.

The base CVSS score of 6.5 indicates a moderate severity with a potential for significant damage if exploited. The EPSS score of less than 1% suggests a very low likelihood of current exploitation, but the issue is not listed in CISA’s KEV catalog. The attack vector is likely to involve a compromised or unauthenticated user able to submit data that the plugin processes without adequate sanitization; the exact prerequisites are not stated but typically involve administrative access to the plugin configuration or the ability to input data that gets stored and subsequently rendered. Exploitation would require the attacker to inject malicious code that the plugin fails to neutralize before storing and later outputting to browsers.