The vulnerability is a DOM‑Based Cross‑Site Scripting flaw in the Inline Text Popup plugin that allows an attacker to inject malicious scripts into a web page. This flaw can be exploited by manipulating input that the plugin incorporates directly into the page’s DOM, enabling the attacker to run arbitrary code in the victim’s browser. Successful exploitation could lead to the theft of session cookies, defacement, or redirecting users to phishing sites, thereby compromising confidentiality and integrity.

The affected product is the Inline Text Popup plugin from Webplanetsoft. Any installation of the plugin with a version number of 1.0.0 or earlier is vulnerable.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a malicious user or attacker crafting a URL or input that the plugin processes without proper sanitization, causing arbitrary JavaScript to execute in the context of the site. An attacker would need access to a page that renders the popup or the ability to send input to the plugin’s input fields. The impact is confined to the victim’s browser session, but can be used for phishing or credential theft.