The WP SimpleWeather plugin for WordPress suffers from a stored Cross‑Site Scripting (XSS) flaw caused by improper neutrality of user input during web page generation. This weakness, classified as CWE‑79, permits an attacker to inject malicious scripts that are rendered when a page containing the stored content is viewed. The primary impact is the potential for defacement, cookie theft, session hijacking, or execution of arbitrary client‑side code under the victim’s browser context.

The vulnerability affects the WP SimpleWeather plugin developed by matt_mcbrien, specifically all versions up to and including 0.2.5. The issue is present in any WordPress site that has installed these affected plugin versions.

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further implying limited active exploitation. Attackers would likely exploit the flaw by crafting malicious content that is stored via the plugin – such as weather widget data – and then having unsuspecting users view pages that display this content. The stored nature of the payload means the attack can persist until the plugin is updated or the content is removed.