An attacker can inject malicious JavaScript into the pushe Web Push Notification plugin. This is a CWE‑79 vulnerability, involving improper neutralization of input. The flaw allows stored XSS because the plugin does not properly neutralize user‑supplied input when rendering a web page. When a user—including an author, editor, or visitor—visits a page containing the compromised data, the embedded script runs in the victim’s browser. This could lead to session hijacking, credential theft, or the execution of arbitrary commands that affect the site’s confidentiality, integrity, or availability.

The vulnerability afflicts the WordPress “pushe Web Push Notification” plugin released by pusheco. It affects all versions from the initial release up to and including 0.5.0. WordPress sites that have not upgraded beyond 0.5.0 and continue to use the plugin are at risk.

The CVSS score is 5.9, indicating moderate severity. EPSS indicates a probability of exploitation below 1 %, suggesting that active attacks are unlikely at present. The flaw is not listed in the CISA KEV catalog, further implying lower real‑world exploitation. However, the relatively low EPSS does not eliminate risk, especially for high‑traffic or high‑value sites that might attract targeted attackers. Based on the description, it is inferred that attackers would need to inject a malicious payload through a writable input handled by the plugin, and the impact would be realized when other users load the affected page.