The vulnerability in dmccan Yada Wiki allows stored XSS caused by inadequate neutralization of user input during page rendering. An attacker can save malicious scripts into plugin fields, which will then be embedded in the HTML output when a site visitor loads the affected page, potentially leading to phishing, credential theft or session hijacking. The weakness is a classic input validation flaw (CWE‑79).

The flaw exists in all releases of the Yada Wiki WordPress plugin up to and including version 3.5. Administrators using versions through 3.5 are affected; newer releases (3.6 and beyond) are presumed free of the issue.

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. Its EPSS score is below 1 %, suggesting a low probability of widespread exploitation at present, and it is not listed in the CISA KEV catalog. Exploiting the vulnerability involves injecting malicious content into plugin data fields; this typically implies the need for permission to create or edit those fields, whereas the CVE does not explicitly confirm this requirement. Attackers can then trick legitimate site visitors into executing injected scripts when they view the affected pages.