Improper neutralization of user input during web page generation allows a DOM‑based Cross‑Site Scripting (XSS) attack. The Bulk Auto Image Title Attribute plugin fails to escape image title attributes, enabling an attacker to inject arbitrary script that runs in the victim’s browser. An attacker can leverage this flaw to steal session cookies, deface web pages, or execute arbitrary actions on behalf of the user. The weakness is a classic XSS vulnerability (CWE‑79).

Pagup’s Bulk Auto Image Title Attribute plugin with versions up to and including 2.0.1 is affected. Users running WordPress installations that have installed any of these plugin releases are potentially vulnerable.

The CVSS v3.1 score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in CISA’s KEV catalog, but attackers can exploit it via client‑side script injection without authentication. The main attack vector is DOM‑based XSS, which can be triggered by any user who views a page that includes the malicious title payload. Given its simplicity, the vulnerability could be abused by widespread phishing or compromised content, but the current exploitation probability remains low.