The vulnerability in Jonathan Jernigan’s Pie Calendar plugin allows an attacker to inject malicious JavaScript into pages generated by the plugin. This improper neutralization of input (CWE‑79) can lead to cross‑site scripting that compromises the browser context of any visitor, potentially enabling session hijacking, defacement, or phishing attacks. The impact is limited to client‑side effects on users who view the affected page, but it can facilitate credential theft if users have active sessions.

WordPress sites that have installed the Pie Calendar plugin version 1.2.9 or earlier are affected. The plugin’s compatibility list indicates that all builds from the earliest release through 1.2.9 may contain the flaw. Administrators should audit installed plugins for this version or any earlier release and verify the version number.

The CVSS score of 6.5 denotes a moderate severity, and the EPSS figure of less than 1% suggests that exploit attempts are unlikely as of now. However, because the vulnerability is client‑side, attackers with the ability to supply arbitrary input—such as through URL parameters or form fields—could trigger the payload without needing elevated privileges. The lack of a KEV listing means no public exploit has yet been reported, but standard Web‑application defenses should still be applied to mitigate potential exploitation.