An improper neutralization of input during web page generation in the RDFa Breadcrumb plugin allows an attacker to store malicious scripts that run each time a page is displayed, resulting in stored cross-site scripting. This flaw enables the injection of code that can hijack sessions, deface sites, or exfiltrate data from users who visit the vulnerable pages. The vulnerability stems from insufficient input validation as identified by CWE-79.

This issue affects the WordPress plugin RDFa Breadcrumb by Nitin Yawalkar for all releases up to and including version 2.3. Users running any of these versions on any WordPress installation are potentially exposed.

The CVSS score of 5.9 classifies the flaw as medium severity; the EPSS score of less than 1% indicates a very low likelihood that attackers are actively exploiting this weakness at present. It is not listed in the CISA KEV catalog. Because the vulnerability is stored and can be triggered by modifying content that is rendered by the plugin, an attacker would need access that permits the injection of the payload (for example, an administrator or via a comment, tag, or custom field handled by the plugin). Once injected, the script executes on every subsequent visit to the affected page.