Improper neutralization of user input during page rendering in the Bg Church Memos plugin allows attackers to inject malicious JavaScript that executes in a victim’s browser. This DOM‑based XSS can lead to theft of session tokens, defacement of content, and the execution of arbitrary actions on behalf of the user. The flaw stems from a failure to sanitize input before embedding it into the page, a classic input validation weakness classified as CWE‑79.

The vulnerability affects the WordPress Bg Church Memos plugin released by Vadim Bogaiskov. All installed copies with version 1.1 or earlier are susceptible. No other products or newer releases are listed as affected.

The CVSS score of 6.5 signals a moderate severity for a client‑side vulnerability. The EPSS score is less than 1%, indicating a low probability of widespread exploitation at present, and the issue is not yet listed in CISA’s KEV catalog. Attackers would exploit it by forcing a victim to load a crafted request that contains malicious script payloads; because the flaw is DOM‑based, it requires only the victim’s browser to execute the injected code. The risk is limited to the confidentiality, integrity, and availability of the victim’s interaction with the site but does not extend to server‑side compromise or privilege escalation.