Improper neutralization of user input during web page generation allows an attacker to inject malicious JavaScript that is stored by the WooMS plugin. An injected script can execute in the browser context of any user who views the affected page, potentially allowing data theft, session hijacking or defacement. The flaw is identified as a Stored XSS weakness (CWE‑79) and can compromise the confidentiality and integrity of user data without requiring further privileges.

The vulnerability is present in the WooMS plugin version 9.12 and earlier. It affects all WordPress sites that have the WooMS plugin installed from any release prior to 9.13. This includes sites on any WordPress host, regardless of custom theme or other plugins. No specific WordPress core versions are mentioned as necessary, so any site using the impacted plugin is potentially affected.

The CVSS score of 5.9 indicates a moderate risk of exploitation. The EPSS score of less than 1% suggests that exploitation attempts are unlikely at present, but the vulnerability remains technically exploitable under the right conditions. The flaw is not listed in the CISA KEV catalog, meaning it has not yet seen widespread exploitation. Attackers would likely use the plugin’s input fields or backend interfaces to submit malicious payloads, which are then rendered to ordinary visitors. As the flaw is stored, a single injection can affect every user who views the compromised content.