The vulnerability is an improper neutralization of input during web page generation, allowing malicious scripts to be stored in the Pastebin pastebin-embed plugin. When a stored paste is later viewed, the unescaped script executes in the user’s browser. This can lead to client‑side attacks such as defacement, cookie theft or malicious redirects. The weakness is identified as CWE‑79 and represents a moderate‑severe security flaw.

The Pastebin pastebin-embed plugin supplied by Rami Yushuvaev is affected. All installed copies from the earliest revision up to and including version 1.5 are vulnerable. No additional affected versions are listed.

The CVSS score of 6.5 classifies the issue as medium severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the plugin’s content submission interface, where an attacker can inject a script that is later rendered for all users who view that content. The stored nature of the flaw allows it to affect every subsequent user who accesses the stored paste. While widespread exploitation has not been reported, the moderate CVSS score and stored execution pathway recommend timely remediation.