The vulnerability is a Stored Cross‑Site Scripting flaw found in the WordPress plugin WP Hotjar (thiagogsrwp:WP Hotjar) affecting all releases up to and including version 0.0.3. The defect is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are saved and later served to normal site visitors. If successfully exploited, the attacker could run arbitrary JavaScript in the context of the victim's browser, potentially stealing session cookies, defacing content, or redirecting users to malicious sites. The weakness is classified as CWE‑79.

Affected systems are WordPress sites that have installed the WP Hotjar plugin from the official plugin repository with a version number that is n/a through 0.0.3. This includes any site that has applied the plugin without upgrading beyond versions known to contain the flaw. No other vendors or product versions are listed as affected.

The CVSS score of 5.9 indicates a medium severity, reflecting the requirement that the attacker must first supply or modify plugin data that will be stored and presented to other users. The EPSS score of less than 1% suggests that the probability of the vulnerability being exploited in the wild is currently low, though active exploitation has not been reported and the weakness is not present in the CISA KEV catalog. Because the crawlable content is stored server‑side, a likely attack path involves the attacker being able to inject code through an interface that accepts user‑supplied input for the plugin configuration or a post content field; the script would then execute for any subsequent visitor to the affected page. Admin credentials or at least author‑level access could be prerequisite, but the exact vector depends on how the plugin handles user data.