Improper neutralization of input during web page generation allows a stored cross‑site scripting attack on WordPress sites that use the Buckets plugin. An attacker can inject malicious scripts by submitting data that is later rendered without proper escaping. This can lead to session hijacking, credential theft, or defacement of the site. The weakness is a classic input validation flaw identified by CWE‑79.

The Buckets plugin developed by matthewordie, versions from the initial release through 0.3.9, is vulnerable. WordPress installations that have this plugin enabled and allow the affected functionality are at risk. No other products or versions are mentioned as affected.

The CVSS score of 6.5 indicates a medium‑to‑high risk for the affected sites, especially when the plugin is exposed to untrusted users. The EPSS score of less than 1% suggests that large‑scale exploitation is currently unlikely, but the lack of KEV inclusion does not eliminate the threat. The attack vector is inferred to be via normal interaction with the Buckets feature, where user supplied input is stored and later displayed on the site. An attacker would need to be able to force the plugin to store malicious content, which typically requires ordinary user privileges or administrative access to the plugin configuration.