The reported flaw is an improper neutralization of user input during page rendering in the Parakoos Image Wall plugin, which results in a stored cross‑site scripting (XSS) vulnerability. The defect allows an attacker to inject malicious JavaScript into the plugin’s content area, which will execute in the browsers of any visitor to the infected page. Once injected, the attack can be used to hijack user sessions, steal cookies, deface the site, or redirect users to phishing pages.

The vulnerability affects all releases of the Image Wall plugin up to and including version 3.1. The plugin is a WordPress add‑on developed by Parakoos and is typically deployed on publicly accessible websites that use WordPress as their CMS. No specific operating system or PHP version constraints are mentioned, so any site running a compatible WordPress installation with this plugin is potentially impacted.

The CVSS score of 6.5 indicates medium to high severity, and the EPSS score of less than 1% suggests low yet non‑zero exploitation probability. The flaw is not yet listed in the CISA KEV catalog, but the stored nature of the XSS and the wide distribution of the plugin mean that an attacker could realistically exploit the weakness by submitting crafted content through the plugin’s interface or by leveraging another user’s ability to input data. The primary vector is client‑side execution driven by malicious content stored on the server.