Improper neutralization of input during web page generation allows an attacker to inject malicious scripts that are permanently stored within the Kopa Nictitate Toolkit plugin’s output. The injected code executes in the browsers of any user who views the affected pages, potentially leading to data theft, cookie hijacking, or other coercive actions. This weakness is a classic example of input validation failure, mapped to CWE‑79.

The vulnerability applies to any WordPress site that has installed the Kopa Nictitate Toolkit plugin with a version from its initial release through 1.0.2. Users of newer releases beyond 1.0.2 are not affected, while older or unchanged installations remain at risk.

The CVSS score of 6.5 classifies the issue as moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and the flaw is not flagged in CISA’s KEV catalog. The vulnerability can be exploited if an attacker can provide content that the plugin stores and subsequently displays. The CVE description does not specify the privilege level required; based on the stored XSS nature, it is inferred that access to create or modify content that the plugin stores would be necessary, though this is not explicitly documented.