The Easy Chart Builder for WordPress plugin contains a stored XSS flaw caused by improper neutralization of user input during web page generation. The vulnerability allows attackers to embed malicious scripts in chart data that are stored persistently and later executed when any visitor loads the affected chart. The flaw can lead to execution of arbitrary code in the context of the victim’s browser and therefore compromises the confidentiality, integrity, and availability of the site for that user. The weakness is documented as CWE‑79.

All installations of the dugbug Easy Chart Builder for WordPress plugin from the earliest release through version 1.3 are affected. Any deployment that has not upgraded beyond 1.3 should be considered vulnerable.

The CVSS score of 6.5 reflects a significant impact, while the EPSS score of <1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread public exploit is known. Attackers typically require access to the chart‑builder interface (typically an administrator or editor) to inject malicious payloads; once stored, the payload is delivered to all users who view the chart, making the risk substantial for sites that allow untrusted users to create or edit charts.