The WP Plugin Info Card has a DOM‑Based Cross‑Site Scripting vulnerability caused by improper neutralization of user input during page generation. An attacker could inject malicious script into a page rendered by the plugin, which can execute in the browser of anyone who views the affected page. The impact includes potential session hijacking, data theft, or defacement, and is classified as CWE‑79. This flaw does not allow remote code execution on the host but can compromise the confidentiality and integrity of web users’ data.

The vulnerability affects Brice Capobianco’s WP Plugin Info Card plugin in all releases from its initial release through version 5.3.0. No specific sub‑versions are listed, but any instance of the plugin that has a version number less than or equal to 5.3.0 is at risk.

The CVSS score of 6.5 indicates moderate severity. The EPSS score is reported as <1%, implying low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user’s browser to load a page containing the vulnerable plugin; thus the attack vector is browser‑based and can be triggered by a crafted link or manipulated input in the URL or form. While no active exploits are publicly documented, the nature of DOM‑Based XSS means an attacker could potentially trick users into visiting maliciously crafted URLs.