Improper neutralization of input during web page generation allows an attacker to inject malicious scripts into the victim’s browser through a DOM‐based cross‑site scripting flaw in the Penci Podcast WordPress plugin. The vulnerability can be triggered by crafted inputs that are reflected into the page without proper sanitization, potentially enabling attackers to steal session cookies, deface content, or execute arbitrary JavaScript. The vulnerability is a classic injection weakness, identified as CWE‑79.

PenciDesign’s Penci Podcast plugin, versions up to and including 1.6, is affected. All sites running the plugin at these or earlier versions are potentially vulnerable, regardless of other WordPress components.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% signals a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or remote via crafted URLs or form inputs that the plugin fails to sanitize; an attacker would need to entice a user to visit a maliciously crafted page. Because it is DOM‑based, the flaw is client‑side and does not expose a server‑side attack surface, but it still poses significant risk to confidentiality and integrity of user data.