The WP Voting Contest plugin includes an improper neutralization of input during web page generation that permits an attacker to store malicious JavaScript within poll or result data. When a visitor loads a page that displays this data, the injected script runs in the victim’s browser, enabling cookie theft, defacement, or phishing attempts. The flaw is a classic Cross‑Site Scripting vulnerability (CWE‑79) and does not grant direct remote code execution on the server, but it damages the confidentiality and integrity of all users who view affected pages.

All WordPress installations running the Matt:WP Voting Contest plugin version 5.8 or earlier are impacted. The CVE data indicates a range from an unspecified earliest release up to and including 5.8; no later versions are listed as affected.

The CVSS score of 5.9 denotes moderate severity, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not part of CISA’s KEV catalogue. Likely attack vectors involve an attacker submitting malicious payloads through the plugin’s input fields, which are stored and then served to any visitor of the associated pages. The flaw is publicly reachable via a web browser with no special host privileges required, so the risk is moderate but remediation is advised to avoid user‑targeted attacks.