The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of user input during web page generation. Attackers can inject malicious scripts into email templates so that whenever the template is rendered or viewed by site visitors or email recipients, the injected code executes within the victim’s browser. This can lead to session hijacking, phishing, or the execution of arbitrary client‑side commands.

The flaw affects the VillaTheme Email Template Customizer for WooCommerce plugin, versions 1.2.17 and earlier. Any WordPress site that has installed or upgraded to any of those versions is at risk.

The CVSS score of 5.9 indicates moderate severity. The EPSS score of <1% shows a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. It is not stated that specific privileges are required to inject the payload; it is reasonable to infer that administrative or plugin‑management privileges would be needed to edit the templates, though this assumption is not confirmed by the CVE description. Because the attack vector involves stored input that is later rendered in a web context, exploitation would only occur when a user interacts with the compromised template. This assumption about required privileges is inferred and not stated in the CVE description.