The product catalog plugin contains an improper neutralization of input during web page generation, allowing attackers to store malicious script code within catalog entries. When a victim views the affected page the injected code runs in the victim’s browser, enabling script execution that can lead to credential theft, session hijacking or defacement. This is a classic stored XSS flaw; it compromises the integrity of the page content and the confidentiality of the victim’s session data.

The vulnerability exists in the impleCode Product Catalog Simple WordPress plugin in every release from the first edition through version 1.8.2. Any WordPress site that has installed this plugin and has catalog entries created by users or administrators is potentially affected.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% signals a low probability of exploitation in the field. The flaw is not listed in CISA’s KEV catalog, suggesting it has not been widely exploited so far. Based on the description, the likely attack vector is that an authenticated or publicly able content editor submits a malicious input into a catalog item; the system stores the payload and includes it in the rendered page for all viewers. The vulnerability could be triggered without additional conditions beyond normal use of the plugin’s input form.