The WordPress Free Downloads EDD plugin implements an improper neutralization of input during page generation that permits an attacker to inject arbitrary JavaScript through pieces of user supplied data. It is a CWE-79 Cross‑Site Scripting vulnerability, specifically a DOM‑based XSS that allows crafted payloads to run in the context of any site visitor who loads a page that renders data from the plugin. Such injected scripts can hijack sessions, deface content, or redirect users to malicious sites. The flaw is caused by the plugin’s failure to correctly encode or validate data before it is embedded in the page output.

Wp Enhanced:Free Downloads EDD plugin versions equal to or older than 1.0.4 are affected. No specific revision identifiers are listed, but the issue applies to all releases from the earliest available version through 1.0.4.

The CVSS score of 6.5 indicates a moderate severity defect. The EPSS measure indicates that the probability of exploitation is less than 1%, and the flaw is not yet in the CISA KEV catalog. Attackers would need to construct a malicious payload and host it on the compromised site or deliver it via the download metadata; the injected script then executes client‑side. While the vulnerability does not grant server‑side code execution, it can compromise the confidentiality and integrity of any user visiting the affected page, making the risk moderate overall.