The vulnerability is a DOM‑based Cross‑Site Scripting flaw that allows a malicious actor to inject and execute arbitrary JavaScript within the context of a victim’s browser. This type of flaw falls under CWE‑79 and can lead to session hijacking, defacement, or the delivery of malicious payloads to users who visit affected pages. The impact is limited to the victim’s browser; it does not compromise the server itself.

Craig Hewitt’s Seriously Simple Podcasting plugin for WordPress is affected for all versions up to and including 3.11.1. Sites running these plugin versions on any WordPress installation are vulnerable.

The CVSS score of 5.9 indicates a moderate risk. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low, and the flaw is not currently listed in CISA’s KEV catalog. However, because the attack can be triggered by a crafted URL or input that reaches the plugin, a determined attacker could target active users and generate malicious scripts that run in their browsers. The primary attack vector is DOM-based XSS via the plugin’s web interface, inferred from the description and the nature of the flaw. No additional exploitation prerequisites are stated in the provided data.