The vulnerability is an instance of improper neutralization of input during web page generation that allows a stored cross‑site scripting (XSS) attack. A malicious user can potentially inject JavaScript that will execute in the browsers of other users who view affected pages, enabling session hijacking, defacement, or the theft of sensitive data. The weakness is identified as CWE‑79, a classic input validation failure that can compromise the confidentiality and integrity of the site for authenticated or anonymous visitors. The description indicates a stored XSS, which typically results in a persistent effect for all users who subsequently load the affected content.

The affected product is FancyThemes Page Takeover plugin version 1.1.6 and earlier. All WordPress sites that have installed this plugin without updating past version 1.1.6 are vulnerable.

The CVSS score of 5.9 places this issue in the moderate category, but the EPSS < 1% indicates that, at the time of this analysis, the public exploitation probability is very low. The vulnerability is not listed in CISA KEV, suggesting it has not been reported as widely exploited. Based on the description, the likely attack vector is via stored user input that is later rendered without proper sanitization; an attacker would need to manage to insert content that is persisted in the plugin’s database and subsequently displayed to other users. Because the flaw is a stored XSS, the impact is limited to the browsers of exposed users rather than at the system level.