The vulnerability is an improper neutralization of input during web page generation in the Content Fetcher plugin, allowing DOM‑based cross‑site scripting. An attacker can inject and execute arbitrary JavaScript in the context of users who view a page containing the content fetched by the plugin. This can lead to cookie theft, session hijacking, defacement, or delivery of malicious payloads to victims, compromising confidentiality and integrity of the site and its users.

Vulnerable systems are WordPress sites using the Content Fetcher plugin from the author Ruhul Amin. All installations of the plugin through version 1.1 are affected; no later version is referenced in the description.

The CVSS score of 6.5 denotes a moderate risk. The EPSS score is less than 1 %, indicating a very low exploitation probability at the time of assessment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is user interaction with a page that includes content fetched by the plugin, either by clicking a crafted link or by visiting a page that displays user‑supplied data. While the vulnerability is not actively exploited at a high rate, the impact to any affected user is significant because the malicious code runs with the victim’s credentials within the browser.