An improper neutralization of input in the Live Flight Radar WordPress plugin allows attackers to inject malicious JavaScript that is stored and later rendered in the browser of any user who views the affected page. This stored Cross‑Site Scripting flaw can lead to session hijacking, credential theft, or redirection to malicious sites, compromising user confidentiality and potentially enabling attackers to execute arbitrary code within the victim's session. The weakness is identified as CWE‑79.

WordPress sites running the Live Flight Radar plugin by lucia.intelisano at any version up to and including 1.0 are affected. The plugin versions prior to 1.0, as well as 1.0 itself, contain the vulnerable input handling. No specific version ranges are defined beyond <=1.0.

The CVSS base score of 6.5 indicates a moderate severity vulnerability, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers inject malicious script through the plugin’s input fields, which is stored and rendered on subsequent page loads for any visitor to the affected page. The lack of a current KEV listing and the low EPSS make this a lower‑threat target, but the impact of a successful exploitation remains significant.