The vulnerability is an improper neutralization of input during web page generation, allowing attackers to inject arbitrary JavaScript that is stored and served to unsuspecting users. This stored XSS flaw can lead to session hijacking, credential theft, defacement or drive‑by malware installation, affecting the confidentiality, integrity, or availability of the site’s data for any visitor that views the compromised content. The weakness is identified as CWE‑79.

The affected product is the GhozyLab Popup Builder Easy‑Notify‑Lite plugin for WordPress, versions from the earliest release through 1.1.33. Users running any of those releases on a WordPress site are vulnerable.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The attack vector is inferred to be a web‑based input via the plugin’s interface that accepts unsanitized data, which is then stored and rendered back to visitors. The lack of a KEV listing means no publicly known exploit has been confirmed yet, but the stored nature of the flaw allows an attacker to propagate malicious code once injected.