Improper neutralization of user‑supplied input in the WP Delicious plugin allows a DOM‑based cross‑site scripting attack, enabling an attacker to inject malicious JavaScript into the browser context of anyone who interacts with affected content. This flaw corresponds to CWE‑79 and can lead to client‑side code execution, defacement, cookie theft or session hijacking, compromising the confidentiality and integrity of the user environment. The vulnerability is triggered when the plugin processes unsanitized input during web page generation, resulting in script execution within the victim’s browser.

All installations of the WordPress WP Delicious plugin up to and including version 1.8.4 are affected. No other versions or products are listed.

The vulnerability carries a CVSS score of 6.5, indicating moderate severity, and an EPSS of less than 1%, suggesting a low probability of exploitation at the time of analysis. It is not listed in the CISA KEV catalog. Exploitation requires that an end user visit a crafted URL or otherwise interact with vulnerable input fields hosted by the plugin, making it a user‑interaction attack. Once triggered, malicious scripts run in the context of the victim’s browser, potentially allowing data theft or further web‑based attacks.