The vulnerability is an Improper Neutralization of Input During Web Page Generation that lets an attacker store malicious JavaScript in the Print My Blog plugin. When a site visitor loads the affected page, the injected script runs in the visitor’s browser, which can lead to cookie theft, session hijacking or defacement. This weakness corresponds to CWE‑79 and is reflected in the CVSS score of 6.5.

The affected vendor is Michael Nelson, product Print My Blog, versions from the initial release up to and including 3.27.9 are vulnerable. No specific patch version is listed in the data.

The CVSS score of 6.5 indicates a medium severity, while the very low EPSS score of < 1 % shows that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploits. It is likely that an attacker would need to inject malicious input through the plugin’s content creation interface, which implies local or administrative access to the WordPress site. Based on the description, the attack can be carried out by any user with content‑creation privileges, and the malicious script would run in the browser context of visitors, affecting confidentiality and integrity of the application.