The Envo Extra plugin accepts user input that is stored and later displayed without proper escaping, allowing an attacker to embed malicious scripts into web pages. A successful exploit would lead to the execution of attacker‑controlled code in the browsers of any user who visits the affected page, enabling data theft, session hijacking, or defacement. The vulnerability is rooted in a lack of input validation and sanitization, classifying it as a classic Cross‑Site Scripting flaw (CWE‑79).

The affected product is the EnvoExtra plugin for WordPress by EnvoThemes, available in any version up to and including 1.9.11. No specific release notes are provided beyond this upper bound, so any installation of a version 1.9.11 or earlier is at risk.

The CVSS score of 6.5 marks this vulnerability as moderate. The EPSS score of less than 1% indicates that, at the time of analysis, the likelihood of exploitation is low, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires an attacker to submit malicious input that the plugin stores, which can then be served to users. The description does not specify authentication, so the attack may be possible from unprivileged actors if the plugin’s input interface is publicly accessible. The stored nature of the flaw means that a single injection could affect every subsequent visitor to the compromised content.