The vulnerability is a DOM-based Cross‑Site Scripting flaw in the Techeshta Card Elements for WPBakery plugin, allowing an attacker to inject malicious scripts during web page generation. This code injection occurs because the plugin fails to properly neutralize user input before rendering it to the browser, potentially enabling arbitrary client‑side script execution in the context of a victim’s browser. The weakness is classified as CWE‑79, which denotes improper neutralization of input.

This issue impacts the Card Elements for WPBakery plugin for WordPress, versions up through and including 1.0.8. The plugin is distributed by Techeshta and is widely used in WordPress installations that incorporate WPBakery page builder functionality.

The CVSS score of 6.5 indicates a medium severity vulnerability, and the EPSS score reflects a very low likelihood of exploitation (less than 1%). The vulnerability is not listed in the CISA KEV catalog. Because the flaw is DOM‑based, it can be triggered by user‑controlled input rendered on the page, making it potentially exploitable by anyone who can create or manipulate a card element. The impact is restricted to client‑side script execution, but if combined with phishing or social engineering, it can lead to credential theft or session hijacking. Attackers would typically craft malicious input and submit it via the front‑end, exploiting the lack of output encoding. Given the low EPSS score, the risk is moderate, but the widespread use of the plugin warrants prompt remediation.