The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of user input during web page rendering in the Vektor,Inc. VK Filter Search WordPress plugin. It enables an attacker to inject arbitrary HTML or JavaScript that will run in the browsers of any visitor who views the affected content. The failure to sanitize input can lead to unauthorized script execution, potentially allowing attackers to modify page content, execute malicious code in the context of the site, or disrupt user experience.

All releases of the VK Filter Search plugin from the earliest version through version 2.20.2 are affected. WordPress sites that run any of these versions of the plugin are potentially vulnerable.

The CVSS base score of 6.5 indicates moderate severity. The EPSS score is below 1 %, suggesting a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be able to submit or modify content through the plugin’s interface, which is typically available to authenticated users with content‑creation privileges. Based on the description, the likely attack vector is the WordPress administrative area where the plugin is used, but this is inferred as the CVE does not explicitly state the attacker’s capabilities.