Improper neutralization of user input in the Easy WP Tiles plugin allows a stored XSS flaw that can execute arbitrary JavaScript when a generated page is viewed. The published description indicates that malicious code can be stored and then run within the context of any visitor’s session, potentially enabling cookie theft, session hijacking or defacement of the site. Based on the description, it is inferred that the injected script would execute with the privileges of the authenticated user who loads the affected page.

WordPress installations that have the Easy WP Tiles plugin version 1 or earlier. No further version granularity is disclosed, so any site with this plugin configured at or below the stated upper bound is potentially vulnerable.

The CVSS score of 5.9 denotes a moderate severity vulnerability. The EPSS score of less than 1 % and the absence from the CISA KEV catalog imply a low likelihood of widespread exploitation at present. The likely attack vector is via the plugin’s content‑submission interface; an attacker with permission to create or edit content within the plugin can embed the malicious script that will subsequently be stored and delivered to all visitors. Because it is a stored XSS, no elevated privileges beyond the ability to use the plugin’s interface are required, making it relatively straightforward to deploy if authenticated access is available.