The WP Joomag plugin allows an attacker to inject malicious script into the page view rendered by the site. The attack vector is inferred to be browser‑based, based on the DOM‑based nature of the flaw. Because the input supplied to the plugin is not properly sanitized, a malicious user can craft a URL or form submission that causes the victim’s browser to execute arbitrary JavaScript. The impact may include session hijack, credential exfiltration, or other client‑side attacks, but these effects are inferred from the nature of DOM‑based XSS and are not explicitly detailed in the CVE description.

Administrators running WordPress installations that have the WP Joomag plugin version 2.5.2 or earlier are impacted. The vulnerability is present from the earliest release of the plugin up to and including 2.5.2 and is identified by the vendor as affecting the joomag:WP Joomag product.

The CVSS base score of 6.5 indicates a medium severity issue with moderate impact on confidentiality and integrity when the attack vector is browser‑based. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and CISA has not listed this vulnerability in its KEV catalog. However, because the flaw is DOM‑based, an attacker only requires a victim to visit a crafted link; no elevated permissions or remote code execution is needed. Users who view affected pages could have their browser state compromised.