Improper neutralization of input during web page generation allows a stored cross‑site scripting vulnerability in the Waymark plugin. When an attacker injects malicious script into content that is subsequently displayed, the code runs in any visitor’s browser, enabling cookie theft, session hijack, defacement, or redirection to malicious sites. The vulnerability is not limited to a particular user role; once the malicious content is stored, any user who views the affected page will be impacted.

The vulnerability affects the Waymark plugin for WordPress provided by Joe. All versions up to and including 1.5.3 are vulnerable; this includes the entire range from the first release through 1.5.3. WordPress sites that have installed any of these versions of Waymark are impacted.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% shows a low probability of current exploitation yet the vulnerability remains publicly known. It is not listed in the CISA KEV catalog. The likely attack vector involves attackers who can submit or edit content in the plugin—such as administrators or users with content‑creation privileges—injecting malicious script that is stored and executed when any user views the affected page. Because the flaw is stored, the attack does not require immediate user interaction beyond accessing the page that renders the malicious payload.