The Easy Charts plugin for WordPress contains a DOM‐based cross‑site scripting flaw that allows an attacker to inject malicious JavaScript into the rendered page. By providing crafted data that is not properly neutralized, an attacker can execute code in the victim’s browser session, potentially stealing session cookies, hijacking accounts, or modifying page content. This type of vulnerability is classified as CWE‑79 and can be exploited without any privileged access, relying solely on user input that reaches the front‑end rendering process.

WordPress installations that use the Easy Charts plugin developed by Kiran Potphode. All versions of the plugin ranging from unknown earlier releases up to and including 1.2.3 are impacted. No specific WordPress core version is mentioned, so any site hosting this plugin within that version range is at risk.

The CVSS score of 6.5 reflects a moderate impact, with the EPSS score below 1% indicating a very low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply malicious input that the plugin directly renders, suggesting a typical cross‑site scripting attack path via a crafted URL or form submission. In the absence of advanced defenses, an attacker could achieve complete front‑end compromise of the affected site.