The Widgetize Pages Light plugin contains an improper input neutralization flaw that allows an attacker to inject malicious scripts into a webpage. An attacker can deliver a crafted payload via a URL or form input that is echoed back to the browser without filtering, enabling the execution of client‑side code in the context of the vulnerable domain. This type of vulnerability can lead to cookie theft, session hijacking, defacement, or delivery of additional malware to users who view the affected page.

The flaw affects the OTWthemes Widgetize Pages Light plugin for WordPress. All versions from the initial release up to and including 3.0 are susceptible. No newer minor or patch releases are listed in the data, implying that any installed copy of version 3.0 or earlier is impacted.

The CVSS score of 7.1 places this issue in the medium‑to‑high severity range, while the EPSS score of less than 1% suggests that, at present, exploitation is considered low probability. The vulnerability is not listed in the CISA KEV catalog. An attacker can likely trigger the flaw by inserting a malicious script into a query parameter or widget configuration field that the plugin reflects in the generated page. No special privileges appear to be required beyond access to a vulnerable page, indicating a publicly exploitable attack vector.