The JB Horizontal Scroller News Ticker plugin for WordPress contains an improper neutralization of input during web page generation, enabling DOM‑based XSS. The flaw allows an attacker to inject malicious scripts that will execute in the browsers of users who view the affected pages. This can lead to credential theft, session hijacking, defacement or the delivery of further malware, thereby compromising the confidentiality, integrity and availability of user interactions with the site.

The vulnerability affects the Jobair JB Horizontal Scroller News Ticker plugin on WordPress installations running any version of the plugin up through 1.0. No specific patch version is listed, but all installations of v1.0 or earlier are susceptible.

The moderate CVSS score of 6.5 reflects the potential impact of this client‑side attack. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not catalogued in the CISA KEV list. Exploitation requires an attacker to provide malicious input that is rendered unsanitized on the page, typically through a configuration setting or content field that the plugin displays. While there is no direct remote code execution, the ability to run arbitrary JavaScript in the victim’s browser makes the risk significant for sites that allow untrusted input via the plugin.