Improper neutralization of input during page generation allows an attacker to store malicious JavaScript in the Pathomation plugin’s database. When a victim later requests a page that renders the stored data, the injected script runs in the victim’s browser, enabling phishing, session hijacking, or theft of sensitive information. The vulnerability is a classic Stored Cross‑Site Scripting flaw classified as CWE‑79 and carries a CVSS score of 6.5, indicating moderate severity for affected systems.

The Pathomation plugin for WordPress, versions from the earliest available release through 2.5.1, is impacted. Users who have not upgraded beyond 2.5.1 are at risk; any installation deploying Pathomation 2.5.1 or earlier on a WordPress site is vulnerable.

The EPSS score of less than 1% suggests that exploitation has been observed rarely, and the plugin has not yet been listed in the CISA KEV catalog. However, exploitation remains feasible via web‑based input fields that are stored and later rendered without proper escaping. Attackers could target sites with Pathomation enabled by leveraging the web interface to inject malicious scripts, which will then execute for any visitor who views the affected content. Given the CVSS rating, the risk is moderate but real, and the potential impact on confidentiality and session integrity should be considered a priority.