The vulnerability is a stored cross‑site scripting flaw described as CWE‑79 that permits malicious script injection into the plugin’s data store. When an attacker places crafted payloads into input fields that the plugin preserves, those scripts are later rendered on pages accessed by site visitors, potentially allowing cookie theft, credential hijacking, defacement, or other client‑side attacks. The primary impact is a compromise of confidentiality and integrity for users who view the affected content.

Simon Show Google Analytics widget is a WordPress plugin available for any WordPress installation. Versions from the initial release up through 1.5.4 are affected because user input is not properly neutralized before storage.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests low exploitation likelihood. The likely attack vector involves an attacker submitting malicious data through the plugin’s input fields, which are then persisted and rendered to all site visitors. Because the flaw is stored, the vulnerability can be triggered remotely where the plugin is exposed to unauthenticated or authenticated users with write permissions. The issue is not listed in CISA’s KEV catalog.