The vulnerability is an improper neutralization of input during web page generation, classified as Cross‑Site Scripting. An attacker that can influence certain user‑generated fields can inject arbitrary JavaScript into pages rendered by the VOD Infomaniak plugin. When a victim opens the affected page, the injected script runs with the victim’s browser privileges, potentially enabling session hijacking, credential theft, or defacement. The flaw is a classic example of CWE‑79 and does not directly compromise the WordPress server or its database.

The flaw is present in the Infomaniak Network VOD Infomaniak WordPress plugin for all releases up to and including version 1.5.11. Users running any of these plugin versions are affected, while newer releases are not reported to be vulnerable.

The CVSS score of 7.1 labels the issue as high severity, and the EPSS score of less than 1 % indicates a very low probability of exploitation under current observation. The flaw is not listed in CISA’s KEV catalog. Exploitation would likely occur over the public web interface of the plugin, requiring the victim to visit a crafted URL or trigger a form that includes malicious input. No authentication or privileged access is needed for the initial injection, making the attack vector remote.