Improper Neutralization of Input During Web Page Generation causes a stored cross‑site scripting vulnerability in the VR Views plugin. The flaw allows an attacker to embed malicious scripts that are stored and later rendered on pages, enabling arbitrary JavaScript execution in visitors' browsers.

The vulnerability affects the WordPress VR Views plugin version numbering through 1.5.1, released by the vendor goldsounds. All plugin releases from the initial version up to and including 1.5.1 are susceptible.

The CVSS score of 6.5 indicates moderate exploitation difficulty with client‑side impact. The EPSS score of less than 1% suggests low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to inject malicious content through an administrative or content‑creation interface, which is then stored in the database and later served to users. Once executed, the embedded scripts run with the privileges of the visiting browser, potentially compromising user accounts or distributing malware.