The Nemesis All‑In‑One plugin contains an improper neutralization of input during web page generation that enables a stored cross‑site scripting vulnerability. A malicious actor can inject JavaScript or other executable content into plugin fields. When users view the affected content, the injected script runs in their browsers, enabling actions such as session hijacking, cookie theft, defacement, or execution of additional payloads. The weakness is classified as CWE‑79.

All WordPress installations that run the fbtemplates Nemesis All‑In‑One plugin from the first available version through 1.1.3 inclusive are affected. Version 1.1.4 contains the fix, so any site still using an earlier release is vulnerable.

With a CVSS score of 6.5, the vulnerability is considered moderate. The EPSS score of less than 1% indicates a very low probability of active exploitation at present, and the issue is not listed in CISA KEV. The flaw is a stored XSS, so an attacker must first inject content through one of the plugin's input fields. The likely attack vector is exploiting administrator or editor privileges to submit malicious content, or leveraging a separate compromise that allows content injection. Once stored, the script executes in the browser context of any visitor who accesses the infected content. The inference is that an attacker needs content‑injection privileges or an alternative vector to exploit this vulnerability.