The vulnerability is an improper neutralization of input during web page generation that results in DOM‑based cross‑site scripting. A malicious user can inject unsafe content into input fields or URLs that are rendered without proper escaping, allowing the execution of arbitrary JavaScript in the browser context of any user who visits the affected page. Since the exploit runs in the victim's browser, an attacker could steal session cookies, deface content, or carry out phishing attacks against that user.

Affected systems are WordPress sites that have the Ibtana – Ecommerce Product Addons plugin installed, version 0.4.7.6 or earlier. The plugin is distributed by VW Themes and is commonly used to extend product add‑ons for e‑commerce shops. No specific WordPress core or other plugins are required for the flaw to be exploitable; any site that has the vulnerable plugin active is at risk.

The CVSS base score is 6.5, indicating a moderate impact, and the EPSS score is less than 1%, implying a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploit campaigns have been documented yet. Based on the description, the likely attack vector is a user visiting a page where the plugin renders imported user input, maybe through the public shop pages. Because the flaw requires a victim to load a page, exploitation remains a client‑side risk rather than a server‑side compromise, but it still allows confidentiality and integrity damage to the user session.