Impact
The vulnerability is a stored cross‑site scripting flaw that occurs when the DIOT SCADA with MQTT WordPress plugin’s 'diot' shortcode accepts unescaped user input. It is a typical CWE‑79 problem where insufficient input sanitization allows malicious scripts to be saved in the database and run in a user’s browser. An attacker could inject JavaScript that executes whenever a page containing the injected content is viewed, potentially hijacking user sessions, exfiltrating data, or modifying page content.
Affected Systems
Any installation of the DIOT SCADA with MQTT plugin for WordPress that is running version 1.0.5.1 or earlier is affected. This includes all WordPress sites that have the plugin installed and have not upgraded beyond the stated version.
Risk and Exploitability
The vulnerability has a CVSS score of 6.4 and an EPSS score of less than 1 %, indicating a moderate severity but a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack requires an authenticated account with contributor rights or higher privileges, which are typically available to regular content editors. Once the malicious content is injected, every user who views the page will execute the injected scripts, providing an opportunity for widespread impact across the site’s user base.
OpenCVE Enrichment
EUVD