Improper neutralization of user input during web page generation allows an attacker to inject malicious scripts that execute in the victim's browser. The vulnerability is a DOM‑based cross‑site scripting flaw, meaning the attacker can craft URLs or form data that the plugin processes without proper encoding or validation, leading to potential session hijacking, defacement, or redirection to malicious sites. This weakness, identified as CWE‑79, compromises the confidentiality and integrity of user data and can affect any user interacting with the plugin’s outputs.

The flaw is present in the Fable Extra WordPress plugin by WPFable. All releases from the initial version up through 1.0.6 are affected, and the problem will persist until a newer, patched version is installed. Administrators who have retained a version of the plugin older than 1.0.7 (or the appropriate fix release) are at risk.

The CVSS score of 6.5 indicates a moderate level of severity. The EPSS score of less than 1% suggests a very low probability of widespread exploitation at the present time, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the attack vector is likely remote: an attacker can deliver a crafted link or payload through any interface that the plugin renders, such as a logged‑in admin panel or a public form. If the site allows arbitrary input through the plugin, the flaw can be triggered by any visitor who accesses the injected content, making it a silent but damaging risk.