Improper neutralization of input during web page generation allows attackers to inject malicious scripts that are stored and subsequently served to visitors of sites running the Dima Take Action plugin. This stored XSS flaw (CWE‑79) lets an attacker execute arbitrary JavaScript in the browser context of any user who views the affected content, potentially enabling session hijacking, defacement, or the delivery of malware.

WordPress installations that include the Dima Take Action plugin from any unknown initial release up to and including version 1.0.5 are affected. The plugin is provided by PixelDima and is commonly used for website maintenance and event management. If a site administrator has a version of the plugin older than or equal to 1.0.5, it likely contains the vulnerable code.

The CVSS base score of 5.9 places this issue in the medium severity range. The low EPSS score (< 1 %) indicates that exploits are currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would typically require an attacker to supply input that is stored by the plugin—such as through admin‑only forms or content submissions—before the data is displayed to other users. Once the payload is stored, any visitor to the affected page will process the script in their browser, creating the full stored XSS attack surface.