jAlbum Bridge for WordPress contains a DOM‑based Cross‑Site Scripting flaw due to improper neutralization of user input during page generation. An attacker who controls a value that the plugin echoes can embed arbitrary JavaScript that executes in the browser of anyone who views the affected page. Because the script runs with the victim’s privileges, it can steal session cookies, deface the site or redirect users to malicious destinations. This weakness is identified as CWE‑79.

The vulnerability exists in mlaza’s jAlbum Bridge plugin for WordPress version 2.0.17 and all earlier releases. Any WordPress installation that uses this plugin is potentially exposed; versions 2.0.18 and later contain the fix and have been released by the vendor.

The recorded CVSS score is 6.5, indicating a moderate severity with potential impact on confidentiality and integrity within the visitor’s browser. The EPSS score is reported as < 1%, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated crafted URL or input to the plugin, as the description does not explicitly state the necessary conditions. Exploitation can be performed merely by delivering a crafted URL or input to the plugin, without requiring authentication or server‑side privileges, making it relatively easy to launch but still limited to user interaction. Given the low EPSS and moderate CVSS, a timely patch is recommended but the risk of immediate widespread exploitation remains low.