The vulnerability occurs in the WordPress Quotes llama plugin when user input is incorporated into web pages without proper neutralization, allowing an attacker to inject malicious script that is executed in a visitor's browser. An attacker could hijack user sessions, alter page content, or redirect users to malicious sites. The flaw is classified as a CWE‑79 XSS weakness, which directly exposes the confidentiality and integrity of users interacting with the affected site.

The affected product is the Quotes llama plugin developed by oooorgle. Versions from the initial release through 3.0.1 are impacted; no higher or isolated patch version is listed in the input data.

The CVSS base score of 6.5 indicates a moderate risk, and the EPSS score of less than 1% shows a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to submit a quote or otherwise feed unsanitized content to the plugin—such as an admin, contributor, or a compromised account. Once injected, the script runs within the context of the site’s front‑end, allowing client‑side attack techniques. While the risk of successful exploitation is moderate, the impact on users’ browsers can be significant, so applying the vendor‑supplied fix or disabling the vulnerable component remains the best mitigation.