The vulnerability is a DOM‑based Cross‑Site Scripting flaw that allows attackers to inject and execute arbitrary scripts in the context of a victim’s browser. The flaw arises from improper neutralization of user input during web page generation, making the victim’s browser run attacker‑supplied code. This can compromise user credentials, deface content, or carry out further social‑engineering attacks. At its core, the weakness is an input validation error identified as CWE‑79.

The affected product is the Caspio Bridge: Custom Database Applications by Caspio WordPress plugin, version 2.1 or earlier. No additional platform or operating system details are provided, but the plugin functions within the WordPress environment.

With a CVSS score of 6.5, the vulnerability represents a moderate severity threat. The EPSS score of less than 1% suggests a very low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a user visiting a page served by the plugin and interacting with a form or field that is rendered unsanitized. Because authentication is not required to trigger the script, any visitor can become an attacker if the site is exposed. The impact is primarily administrative overhead and a potential loss of trust in the site rather than broad system compromise.