This vulnerability is a stored Cross‑Site Scripting flaw caused by improper neutralization of user input when generating a web page. An attacker can embed malicious JavaScript that is saved in the database and executed in the browser of any user viewing the affected content. Based on the description, it is inferred that the potential impact includes theft of session cookies, credential leakage, defacement, or the execution of additional malicious actions in the victim’s context. The weakness is identified as CWE‑79.

All installations of OTWthemes Content Manager Light on WordPress that are version 3.2 or earlier are affected. Sites that rely on this plugin to publish or manage content may be vulnerable if the plugin’s content fields are not properly sanitized.

The CVSS score of 6.5 reflects a medium severity vulnerability. The EPSS score of less than 1% indicates that exploitation is considered unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not widely exploited in the wild yet. Attackers may achieve exploitation by accessing the content creation or editing interface, but the exact prerequisites are not detailed; Based on the description, it is inferred that the likely attack vector is through any input that is stored and later rendered without proper sanitization.