The vulnerability is an improper neutralization of input during web page generation (CWE‑79) that allows an attacker to store malicious script payloads within the Login/Signup Popup plugin. When the plugin renders the stored content, the malicious script executes in the browser context of any user visiting the affected page, potentially enabling cookie theft, session hijack, defacement, or further site compromise. The injected code runs with the privileges of the user viewing the page and can affect the confidentiality, integrity, and availability of the site. This is a stored XSS flaw, meaning the payload remains stored on the server until rendered, giving an attacker persistent access.

Vendor xootix; product Login/Signup Popup (easy‑login‑woocommerce). All releases from n/a through version 2.9.4 are affected. No further version details are provided, and users should assume that any release up to and including 2.9.4 is vulnerable.

The CVSS score of 5.9 indicates a moderate impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves an authenticated user (or administrator) submitting malicious input via the plugin’s configuration or form fields, which is then stored in the database and rendered unsanitized on the site, allowing arbitrary JavaScript execution in browsers of visitors.