The WP doodlez plugin improperly neutralizes user input when generating web pages, creating a stored XSS vulnerability (CWE‑79). An attacker can embed arbitrary script code that will be executed in the browsers of any user who views the affected page, potentially compromising accounts, stealing credentials, defacing the site, or phishing. The main effects are loss of confidentiality, integrity misuse of site content.

This vulnerability affects the WP doodlez plugin developed by robert_kolatzek for WordPress, which is vulnerable on all installations using version 1.0.10 or earlier. No specific WordPress core versions are affected, so any WordPress site running this plugin version is at risk until the plugin is upgraded.

The CVSS score is 7.1, indicating a high severity flaw. The EPSS score is less than 1%, suggesting the exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploitation has been reported yet. The attack vector is web‑based; an attacker must be able to submit content through the plugin’s interface. Once the malicious content is stored, every subsequent page view by any site user will trigger the script, making the flaw broadly exploitable in environments with permissive content creation rights.