The vulnerability is an Improper Neutralization of Input During Web Page Generation (CWE‑79) that allows stored cross‑site scripting within the OTWthemes Widgetize Pages Light WordPress plugin. When an attacker supplies a JavaScript payload through the plugin’s content fields and the content is persisted, the plugin renders the unescaped input back to the browser, enabling the script to execute in the context of any visitor viewing the affected page. Because the script runs with the privileges of the page, this could allow the attacker to modify page content, capture user input, or inject additional malicious payloads. The likely attack vector is the plugin’s own input interface; an authenticated or unauthenticated user with access to the plugin’s content management can submit the malicious payload. Once the data is stored, every user who loads the page will receive the payload. The advisory does not specify the exact downstream effects, but stored XSS generally permits an attacker to perform client‑side attacks such as session hijacking or credential theft; these consequences are inferred rather than directly stated in the input.

The affected product is OTWthemes Widgetize Pages Light. All released versions up through and including 3.0 are affected; no sub‑version detail is provided.

The CVSS score of 5.9 classifies the issue as moderate. The EPSS score of less than 1 % indicates a low probability of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires placing a malicious JavaScript payload into the plugin’s input fields when content is created or edited; any user who views the rendered page will execute the payload until the data is removed or the plugin is upgraded. Because the flaw operates through stored data, compromised content remains vulnerable until the stored content is cleaned or the plugin is updated.