The vulnerability is an improper neutralization of input during web page generation that allows an attacker to inject malicious script into a page viewed by other users, resulting in stored cross‑site scripting. The stored nature of the flaw means that the attack code persists in the database and will be delivered to any user who accesses the affected pages. Because the flaw stems from a lack of output encoding, an exploit can execute arbitrary JavaScript in the context of the victim, potentially compromising session cookies, defacing content, or redirecting users to malicious sites. The weakness is identified as CWE‑79.

WebWizards MarketKing (marketking‑multivendor‑marketplace‑for‑woocommerce) is affected, with all releases up to and including version 2.0.92 vulnerable. No specific sub‑versions are listed beyond the upper bound, so any installation using 2.0.92 or earlier should be considered vulnerable.

The CVSS score of 6.5 indicates a moderate severity, but the EPSS figure of less than 1% signifies a very low probability that this vulnerability will be actively exploited at the time of analysis. The vulnerability is not currently referenced in CISA’s KEV catalog. The most likely attack vector is an online user exploiting a legitimate input field that is not properly sanitized and then tricking other users into loading the resulting page. Because stored XSS can affect all site visitors, the impact can be widespread if the patch is not applied. Administrators should treat this issue as a medium‑to‑high priority due to the potential for data theft or site defacement once a web user is compromised.