PlayerJS v2.24 and earlier contain an improper neutralization of input during web page generation, enabling DOM‑based XSS. An attacker can inject malicious JavaScript that is executed within the context of any user who views a page that includes the affected plugin. This could lead to session hijacking, credential theft, or defacement, affecting confidentiality, integrity, and availability of information stored in the user’s browser session.

The vulnerability affects the WordPress PlayerJS plugin (PlayerJS:PlayerJS) for all releases from the initial version up to and including 2.24. No further version details are available, so any installation of the plugin at version 2.24 or earlier is potentially vulnerable.

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is client‑side; a malicious actor can craft a payload that is reflected through the plugin’s output and delivered to unsuspecting visitors. Success requires access to a page that includes the plugin; authentication is not required for exploitation, making it easy to launch from a remote source and posing a risk to all users of the vulnerable site.