This vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of user‑supplied input during web page generation. An attacker can inject malicious JavaScript that persists across multiple visitors, enabling session hijacking, credential theft, or the execution of arbitrary client‑side actions. The weakness is classified as CWE‑79, indicating insecure handling of potentially dangerous input. The impact is limited to the web application and the browser of the victim, but it can expose sensitive data and compromise user accounts if the attacker can trick website visitors into interacting with the affected page.

The flaw exists in the WordPress plugin Goal Tracker for Patreon released by vikingjs. All installed instances of the plugin from initial release through version 0.4.6 are vulnerable. No other products or vendors are listed as affected.

The CVSS score of 5.9 suggests moderate severity, while the EPSS score of less than 1 % indicates a very low but non‑zero probability of exploitation at the time of this analysis. The vulnerability is not present in the CISA KEV database. Attackers can likely exploit this warning by submitting malicious content into plugin fields that are rendered without proper sanitization, resulting in stored XSS that is delivered to any site visitor.