The vulnerability is an improper neutralization of input during web page generation that allows an attacker to store malicious script code in the Google+ Comments plugin. When other users view pages containing the affected comment, the script runs in the users’ browsers. This stored XSS can compromise user credentials, deface the site, or hijack user sessions. The weakness corresponds to CWE‑79. The damage is potential data theft, defacement, and further attack persistence, affecting confidentiality and integrity of the site content. The attack vector involving malicious comment injection is inferred from the description.

This issue affects the Alex Moss Google+ Comments WordPress plugin version ≤ 1.0. Any WordPress installation with that plugin, or any earlier version if the plugin was never updated, is vulnerable. The vulnerability is present from the initial release up to and including version 1.0.

The CVSS score of 5.9 indicates moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the vector by crafting a comment that contains malicious JavaScript and posting it to a page that uses the Google+ Comments plugin. Once the comment is stored, any visitor who views the page will execute the script, giving the attacker the ability to run arbitrary code in the context of the site. This requires the plugin to be enabled and the target site to allow user comments. The likely attack vector is inferred from the description, as no explicit exploitation method is detailed.