The vulnerability is a domain‑based cross‑site scripting flaw that allows malicious code to be injected into the browser when a user visits a page generated by the WPAdverts plugin. Because the plugin does not neutralize user supplied input during page rendering, an attacker can place JavaScript into a crafted URL or plugin configuration, which will run in the victim’s browser within the site’s origin. The flaw is specified as CWE‑79, indicating improper input handling in web page generation, and its primary impact is client‑side script execution that can lead to session hijacking, credential theft or defacement of the site.

The affected systems are WordPress installations that have the WPAdverts plugin version 2.2.4 or older. Any site running one of those vulnerable versions is at risk until the plugin is updated to version 2.2.5 or newer. No other WordPress plugins or core components are impacted.

The CVSS score of 6.5 suggests a moderate severity risk. The EPSS score of less than 1% indicates a low probability of large‑scale exploitation. The vulnerability is not listed in the CISA KEV catalog. Because it is a DOM‑based XSS, exploitation requires a victim to request a page or load a script that contains malicious code; therefore the attack vector is inferred to be through a phishing link or injection of unsafe content that a user will click or view. Since the flaw operates in the client’s browser, it does not provide direct server‑side code execution.