The vulnerability is an improper neutralization of input during web page generation, enabling a stored cross‑site scripting (XSS) flaw in the YeeMail Email Templates Customizer plugin. An attacker can inject malicious JavaScript into an email template that is later rendered by the website. When an authenticated or unathenticated visitor views the template, the injected script runs in the victim’s browser, potentially allowing session hijacking, defacement, or the execution of arbitrary actions on behalf of the user.

The issue affects the WordPress plugin named Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail, available from add-ons.org. All released versions up to and including 2.1.4 contain the flaw. No specific downstream product versions are listed.

The CVSS score of 6.5 indicates a moderate severity vulnerability, and the EPSS score of less than 1% suggests a low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user who can edit or create email templates within the WordPress admin interface; the attacker would embed malicious content into a template that is subsequently served to other site visitors. Exploitation requires an authenticated session with template editing rights but does not grant direct control over the server or execute arbitrary code on the host.