The vulnerability lies in improper neutralization of user input during web page generation, allowing a stored XSS payload to persist within the WP Vegas plugin’s background slider data. An attacker who can inject malicious code into slider content can cause that code to run in the browsers of any visitor who views the affected page, potentially enabling credential theft, defacement, or the delivery of malware. The weakness is a classic input‑validation flaw reflected in CWE‑79. No evidence in the description indicates that the flaw leads to code execution on the server or access to privileged accounts; the impact is limited to the browser context of page viewers.

WordPress sites that have the WP Vegas plugin (jamesdbruner) installed in versions 2.2 or earlier. The vulnerability list states "from n/a through <= 2.2" implying every release of the plugin up to that version is affected.

The CVSS score of 6.5 places this issue in the medium severity range, and the EPSS score of less than 1 % indicates a very low but non‑zero probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, so there is no confirmed mass exploitation reported. Attackers would need to supply the malicious payload when creating or editing a slider, which typically requires administrator or at least editor access to the plugin’s content editor. Once injected, the stored code would propagate automatically to all visitors of pages rendering the slider. Given the moderate score and low exploitation probability, the risk to systems that are actively used sites can still be significant but is expected to be lower than high‑severity remote‑code vulnerabilities.