Dashboard Beacon employs improper neutralization of input during page generation, creating a stored XSS flaw that allows attackers to embed malicious JavaScript that a victim’s browser will execute. As a result, an attacker can hijack sessions, exfiltrate data, deface content, or perform other client‑side attacks on anyone who views the infected page. The weakness is a classic input‑validation problem, labeled CWE‑79.

The vulnerability exists in all releases of the WordPress plugin Dashboard Beacon from janhenckens up through version 1.2.0. No higher‑version releases are affected.

The CVSS score of 5.9 signals moderate severity, while the EPSS score of less than 1% indicates a low probability of widespread exploitation at present. The issue is not in CISA’s KEV catalog, suggesting no current large‑scale attacks. An attacker would first need to supply malicious content that the plugin stores and later displays, which likely requires some level of user privilege to add or edit such content, though the specific privilege level is not disclosed in the CVE description. Once stored, the payload will run in the browsers of all users who view the affected page, making it a risk for any site that enables such content submission.