The Navigation Du Lapin Blanc plugin for WordPress contains an improper neutralization of input during page generation that permits a DOM‑based cross‑site scripting (XSS) attack. An attacker can supply malicious JavaScript content that is subsequently rendered in the victim’s browser, potentially enabling the theft of session cookies, defacement of the user interface, or execution of arbitrary actions on behalf of the authenticated user. The weakness falls under CWE‑79, indicating that the data is not properly sanitized before inclusion in the generated document.

WordPress users running the Navigation Du Lapin Blanc plugin from any earlier release through 1.1.1 are affected. The plugin is identified as bjoerne:Navigation Du Lapin Blanc. The vulnerability applies to all installations of these versions regardless of site theme or other plugins.

The CVSS score of 6.5 classifies this issue as moderate in severity. The very low EPSS score of < 1% suggests that, as of this assessment, exploitation in the wild is unlikely, and the weakness is not currently listed in the CISA Known Exploited Vulnerabilities catalog. On a technical level, the likely attack vector is the submission of crafted input—such as query parameters or form fields—through the plugin’s public interface, which is rendered into page content without adequate escaping. Because the vulnerability is DOM‑based, it requires that a user visit a page containing the crafted input, a condition that most attacker‑controlled hosts can satisfy with a single click or via embedded links.