The vulnerability in the Awesome Logos plugin allows an attacker to inject arbitrary script into web pages that reflect user supplied input. Because the input is not properly sanitized when generating the page, a malicious actor can deliver JavaScript that executes in the context of the website visitor, potentially hijacking sessions, defacing content, or stealing credentials. This flaw is a classic example of Improper Neutralization of Input During Web Page Generation – a type of CWE‑79 weakness. The impact is limited to the execution of attacker‑supplied code in the victim’s browser but represents a serious compromise of confidentiality, integrity, and trust for affected users.

The affected product is the WordPress Awesome Logos plugin released by wpshopee, with versions up through 1.2. No specific sub‑version details beyond the <= 1.2 boundary are provided, though all installations of any historical release are vulnerable. This plugin is typically deployed on WordPress sites, so any site that has not upgraded beyond version 1.2 is at risk.

The CVSS score of 7.1 classifies the flaw as High severity, but the EPSS score of less than 1% indicates that exploitation is currently unlikely. The vulnerability can be triggered via a normal web interface that includes reflective input, so the attack vector is web, remote. As the flaw is not listed in CISA’s KEV catalog, no known, widespread exploitation has been reported yet, but the potential for targeted attacks remains. Administrators should be aware that an attacker who can direct users to a crafted URL could immediately compromise their browsers.