The vulnerability is an instance of improper neutralization of input during web page generation, allowing stored Cross‑Site Scripting. When a user supplies data that contains malicious script, the plugin fails to sanitize the input before storing it, enabling attackers to inject JavaScript that executes in the context of other visitors who view the affected page. This flaw permits the compromise of confidentiality and integrity of user sessions and could lead to credential theft or defacement if executed against privileged accounts.

The affected product is WordPress plugin douglaskarr Podcast Feed Player Widget and Shortcode. Versions from the initial release up to and including 2.2.0 are vulnerable. Any WordPress installation running the plugin before the latest release is at risk.

The CVSS base score is 6.5, indicating a moderate severity, with an EPSS score of less than 1%, suggesting a low probability of exploitation in the near term. The flaw is not currently listed in the CISA KEV catalog. Attackers would need to gain the ability to inject content into the plugin’s fields, typically through the widget or shortcode configuration interface, and wait for the data to be rendered to another user’s browser. Because the payload is stored, re‑use across sessions is possible, but the lack of a known public exploit and the low EPSS imply limited immediate threat.