The plugin fails to neutralise input during page generation, allowing malicious scripts to be stored in category names that are later rendered in the menu. Any user who views the affected menu will have the injected script executed in their browser, enabling the attacker to run arbitrary JavaScript within that context.

Atakan Au’s Automatically Hierarchic Categories in Menu plugin, versions from the earliest available through 2.0.9, is affected. Any installation running a version less than or equal to 2.0.9 should verify the current version and assess risk.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote attacker with authorised access to the plugin’s category management interface injecting a script that is stored and served to site visitors when the menu is rendered.