The WP‑GraphViz plugin for WordPress contains an improper neutralization of input during web page generation. Based on the description, the likely attack vector is an attacker crafting a malicious payload that is reflected through the browser’s DOM. An attacker can craft a malicious payload that is reflected through the browser’s DOM, resulting in a DOM‑based XSS flaw. When a user visits a page containing the vulnerable input, arbitrary JavaScript can execute in the user’s browser. This could lead to session hijacking, credential theft, or malicious content injection, affecting confidentiality and integrity of the user session.

The flaw is present in the DeBAAT WP‑GraphViz plugin versions up to and including 1.5.1. All WordPress sites installing any of these affected releases of the plugin are vulnerable.

Based on the description, the likely attack vector is an attacker persuading a user to visit a malicious URL or click a link that includes the crafted payload. The CVSS score is 6.5, indicating moderate severity. The EPSS score of less than 1% suggests a low probability that the flaw is being exploited in the wild, and it does not appear in the CISA KEV catalog. Exploitation requires a user to load a page that includes the malicious payload, and the attacker does not need additional pre‑conditions beyond convincing a victim to load a crafted URL or click a link. Because it is a browser‑side vulnerability, it cannot lead to remote code execution on the server but can use the browser context maliciously.