Improper neutralization of input during web page generation allows a stored cross‑site scripting flaw in the reDim GmbH CookieHint WP plugin. An attacker can inject malicious JavaScript that is persisted in the plugin’s stored data and later rendered in the browser of any site visitor. This vulnerability can lead to credential theft, session hijacking, or defacement, compromising the confidentiality, integrity, and availability of the affected WordPress site.

The flaw impacts the reDim GmbH CookieHint WP plugin for WordPress versions from the initial release up to and including 1.0.0. WordPress site administrators running any installation with this plugin should verify the installed version and plan an upgrade.

The CVSS score of 6.5 indicates a medium severity, while the EPSS score of less than 1 percent suggests a low probability of exploitation in the wild at present. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker can exploit the vulnerability by submitting malicious input through the plugin’s administrative interface, which is later served to other site visitors. The stored script execution provides a complete code‑execution path for the attacker within the context of the site.