The reported flaw is a stored cross‑site scripting vulnerability that occurs when user‑supplied content is rendered by the Doneren met Mollie WordPress plugin without proper sanitization. An attacker who can insert a malicious script into a page or post that uses the plugin can cause arbitrary code to execute in the browsers of any users who view the affected content, potentially leading to session hijacking, credential theft, or defacement.

The vulnerability is present in the Doneren met Mollie plugin supplied by Nick van Wobbie, impacting all releases from the earliest available version up through version 2.10.7 inclusive. Any WordPress site leveraging the plugin prior to upgrading beyond 2.10.7 is susceptible.

The CVSS score of 6.5 denotes a medium‑severity risk, while the EPSS score of less than 1% indicates a low probability of active exploitation at present. The flaw is not listed in the CISA KEV catalog. The likely attack vector would involve an attacker creating or editing content that goes through the plugin’s rendering path—such as adding a comment, post, or other input accepted by the plugin—without any additional authentication requirements beyond what the site normally permits. Exploitation would be straightforward on sites that allow untrusted content input.