Catch Themes Essential Widgets versions up to 2.2.2 contain a stored cross‑site scripting flaw that allows input to be stored in the database and rendered without proper neutralization. An attacker who can inject malicious script will trigger execution in a victim’s browser when a page containing the widget is viewed, enabling cookie theft, session hijacking, or webpage defacement. The vulnerability is a classic input validation issue identified as CWE‑79 and is rated with a CVSS score of 6.5, indicating moderate severity. The impact is that any user who views the affected page could be compromised, potentially exposing personal data or credentials.

The flaw affects the Catch Themes Essential Widgets plugin for WordPress, both free and pro editions, on all versions from the earliest release through 2.2.2. No further version restrictions are provided, so all installations of this plugin prior to the next release are vulnerable.

The EPSS score is below 1 %, showing a low estimated exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw allows persistent script injection via stored data, the potential damage is significant. The attack vector is client‑side; an attacker must first inject malicious content that is stored by the plugin, typically through interacting with an input field that is later rendered on a page. Inference suggests that administrative privileges or at least access to widget configuration are required, but the exact permissions needed are not specified in the description.