The vulnerability in the VaultDweller Leyka WordPress plugin is a DOM‑based Cross‑Site Scripting flaw that allows attackers to inject arbitrary JavaScript into the pages generated by the plugin. If an attacker succeeds in delivering malicious script, it can execute in the victim’s browser, leading to potential defacement of the site, theft of user session data, or the execution of further payloads without the user’s consent.

This flaw affects all installations of the Leyka plugin version 3.32.1 and older. WordPress sites that have not upgraded beyond that release are susceptible, whether they are single‑user blogs or more complex multi‑user configurations.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1 % suggests a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Because the vulnerability is DOM‑based, the likely attack vector would involve a user opening a page that relies on untrusted input from the Leyka plugin; during that rendering, malicious code could be executed. In the absence of an exploit that bypasses the low likelihood, the practical risk remains low, but the impact of a successful attack can be significant due to the ability to run user‑supplied scripts.