The Marmoset Viewer plugin for WordPress contains an improper neutralization of input during web page generation vulnerability that allows an attacker to store malicious scripts in the application. Once stored, the scripts are executed in the browsers of any user who views the affected content, making it possible to steal cookies, hijack sessions, plant phishing or malware payloads, and compromise the confidentiality and integrity of end‑user data. The description explicitly classifies the weakness as a stored XSS and links it to CWE‑79.

Vulnerable products are the Revoxis Marmoset Viewer WordPress plugin, affecting any installation using version 1.9.3 or earlier. No lower bound is specified, so all releases prior to 1.9.3 are considered affected. The issue applies to any WordPress site that has the plugin installed and remains at or below the stated threshold.

The CVSS score of 6.5 rates the issue as medium severity; the EPSS score of less than 1% indicates a very low but non‑zero estimated exploitation probability. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit the flaw by inserting malicious payloads into the plugin’s input fields, which are subsequently rendered without proper sanitization. Inferred from the description, the vector likely involves authenticated users with the ability to edit content, as no anonymous injection surface is declared. Successful exploitation would allow script execution in the victim’s browser context.