Improper neutralization of input during page generation allows the Nasa Core plugin to store malicious scripts in the site’s database. The exploit is a stored XSS flaw (CWE‑79) that can be triggered when the attacker injects crafted input into plugin configuration fields. When listed pages are rendered, the script executes in the browsers of any user viewing those pages, potentially enabling credential theft, session hijacking, or defacement of content.

The vulnerability affects the NasaCore plugin for WordPress, versions from the earliest release up to, but not including, 6.4.1. The plugin is maintained by the vendor NasaTheme, and only installations running a version lower than 6.4.1 are susceptible.

The CVSS score of 6.5 characterizes the flaw as moderate severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The issue is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the WordPress administrative interface where users can input data into plugin options; an attacker with sufficient privileges or a compromised user account could inject and store the malicious code, which then executes for all site visitors.