The Weather Layer plugin for WordPress contains an improper neutralization of input during web page generation that permits an attacker to inject arbitrary script code into the web pages served to visitors. This stored XSS flaw allows malicious JavaScript to be embedded directly into the plugin’s persistent data, which is subsequently rendered within the site’s pages. While the description does not enumerate specific downstream effects, the presence of arbitrary script execution in a user’s browser carries the inherent risk of data theft, defacement, or other client‑side malicious actions.

The vulnerability exists in all releases of the Weather Layer plugin from the earliest version through version 4.2.1. Any WordPress site that has the plugin installed at a version equal to or lower than 4.2.1 is susceptible, regardless of other security controls applied to the site.

The CVSS score of 5.9 classifies the flaw as moderate severity, and the EPSS score of less than 1% indicates a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply crafted input that is stored by the plugin, and the impact would manifest when the stored content is retrieved and rendered in a visitor’s browser.