An improper neutralization of user input in the Verge3D publishing and e‑commerce plugin allows attackers to inject arbitrary JavaScript into web pages that are rendered to visitors. The vulnerability can lead to theft of session cookies, defacement, or execution of malicious code in the context of users navigating the site. The plugin’s input fields lack proper output encoding, making it possible for a crafted request to cause the browser to execute attacker‑supplied script code.

Soft8Soft LLC"s Verge3D WordPress plugin, versions from the first release through 4.8.0, is affected. Any site running one of these legacy plugin versions is vulnerable.

The CVSS score of 7.1 indicates a medium‑to‑high severity for a Cross‑Site Scripting flaw. The EPSS score of less than 1 % suggests that exploit activity is currently rare, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a reflected request that an attacker can drive from an external source, making the flaw exploitable without special privileges. Thus, while the impact is significant, the overall risk to an organization is moderated by the low exploitation probability set by the EPSS metric.