The vulnerability is an improper neutralization of input during web page generation, classified as a stored cross‑site scripting flaw (CWE‑79). An attacker can inject malicious scripts that are rendered by a visitor's browser, potentially leading to session hijacking, defacement, or theft of sensitive data. The impact involves both confidentiality and integrity of the user's authentication session, as well as the integrity of the web content.

The flaw affects the WPlugged.com WordPress WebHotelier plugin for all releases up to and including version 1.9.2. This plugin is used to manage hotel bookings on WordPress sites; any installation of the plugin in a vulnerable version is at risk.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% shows that the probability of exploitation at this time is low. The vulnerability is not listed in the CISA KEV catalog, and no widespread active exploitation reports exist. A likely attack vector is a web request that stores malicious input—such as a booking form or plugin configuration field—directly into the database and later displays it without proper escaping. Successful exploitation requires access to a path that the plugin renders to end users. The risk is mitigated by promptly applying the vendor-published fix or by disabling the vulnerable functionality until a patch is available.