Improper Neutralization of Input During Web Page Generation is present in the Hover Image Button WordPress plugin through version 1.1.2, permitting a DOM‑Based XSS flaw. This defect allows an attacker to inject and execute arbitrary client‑side scripts within the context of a victim’s browser when the vulnerable input is rendered. The impact is confined to the affected user session, potentially enabling theft of session cookies, defacement, or redirection to malicious sites. The flaw arises because the plugin fails to properly escape or sanitise user‑supplied data before it appears in the generated page.

The vulnerability affects the Ignacio Perez Hover Image Button plugin for WordPress, specifically all releases from the initial release up to and including version 1.1.2. Users running any of those versions are exposed; no other plugins or WordPress core versions are mentioned as affected.

The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests low historical exploitation probability. The flaw is not listed in the CISA KEV catalog. Attackers would most commonly exploit the issue via a crafted link or by manipulating user‑controlled data that the plugin includes in the DOM; this is inferred because the description specifies a DOM‑Based XSS. No additional intrusion prerequisites are documented, implying that a vulnerable site’s normal traffic and user interaction could surface the exploit.