Improper neutralization of input during web page generation in the Breaking News Ticker plugin has been identified as a Stored XSS vulnerability (CWE‑79). An attacker can store malicious JavaScript code through the plugin’s input fields, which is later rendered to any visitor without proper escaping. The stored payload can lead to execution of arbitrary scripts in the browser, facilitating credential theft, session hijacking, defacement of the site, or delivery of additional malware.

WordPress sites that have installed the Breaking News Ticker plugin from Amitythemes.com. Versions n/a through 2.4.4 are affected, meaning any release of the plugin prior to or equal to 2.4.4 is vulnerable.

The CVSS score of 6.5 classifies the problem as of moderate severity. The EPSS score of less than 1 % indicates that immediate exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is by submitting a crafted input in the user‑controlled fields of the plugin, which is then displayed to visitors on the front‑end or to administrators in the dashboard. Successful exploitation requires that the attacker either has access to the input interface (e.g., through a logged‑in user with capability to add or edit ticker items) or is able to convince a privileged user to submit the payload. Once the payload is stored, any user who views the page will receive the malicious script. The potential impact for confidentiality, integrity, and availability is chiefly the ability to run arbitrary code in the user’s browser context, but it does not pose a risk of system‑wide exploitation or remote code execution on the server itself.