This vulnerability is an improper neutralization of input during web page generation that allows an attacker to store malicious scripts in site content. When a victim visits the affected page, the script executes in their browser, potentially permitting cookie theft, session hijacking, defacement or the execution of further attacks. The weakness is a classic Cross‑Site Scripting flaw identified as CWE‑79 and can compromise confidentiality, integrity, and availability of the website and its users.

Affected systems are WordPress sites that use the DP ALTerminator – Missing ALT manager plugin from vendor mylo2h2s, versions up to and including 1.0.2.

The CVSS score of 5.9 places the vulnerability in the medium severity range while the EPSS score of less than 1% indicates a very low current exploitation probability. It is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation. Based on the description, the suspected attack vector involves the plugin’s input mechanism accessible via the web interface, enabling remote actors to inject payloads that are later rendered to end users. Attackers would need only to submit the malicious script, which then becomes stored and later delivered to visitors. The overall risk remains moderate, but the impact could be significant if a user’s browser processes the script.