The vulnerability in justin.kuepper QuoteMedia Tools allows an attacker to inject malicious JavaScript into a WordPress site through the plugin’s unsanitized input handling. This DOM‑based cross‑site scripting can execute in the context of any visitor who loads a page that includes the malicious payload, potentially leading to credential theft, cookie hijacking, or unauthorized actions performed on behalf of that visitor. The weakness is an example of improper input neutralization during web page generation.

WordPress sites that have the QuoteMedia Tools plugin version 1.0 or earlier installed are affected. The vulnerability is present in all releases from the initial release through version 1.0 of the plugin, regardless of other site configurations.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be web‑based, mediated through crafted input that the plugin reflects unsanitized in the DOM. An attacker would need to persuade a site visitor to load a page containing the malicious script, or exploit the plugin via a specifically crafted URL or form input.