The vulnerability allows attackers to inject malicious script that is stored by the If‑So Dynamic Content Personalization plugin and executed every time a page containing that content is rendered. This can lead to cookie theft, credential compromise, defacement, or phishing attacks against users of the affected WordPress site. The flaw results from improper neutralization of user input during HTML generation, a classic XSS weakness (CWE‑79).

All WordPress installations using the If‑So Dynamic Content Personalization plugin version 1.9.3.1 or earlier are vulnerable. The issue applies to any site that has installed the plugin through the WordPress plugin repository or otherwise, regardless of the website theme or additional configurations.

The CVSS score of 6.5 indicates a medium impact with potential for data theft or site manipulation. The EPSS score of less than 1% suggests that, at this time, the likelihood of public exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. However, attackers can exploit this weakness by submitting user‑controlled content via the plugin’s input fields or user‑generated content areas; the payload is then stored and rendered unescaped, enabling the execution of arbitrary JavaScript in the context of any visitor to the rendered page. The known attack vector is remote, requiring only that the plugin's input mechanisms be accessible to an attacker.