The vulnerability creates an improper neutralization of input during web page generation that allows stored cross‑site scripting through the OTWthemes Popping Sidebars and Widgets Light plugin. An attacker who can inject content via the plugin’s administrative interface can embed malicious scripts that execute in the browsers of any site visitor, potentially enabling session hijacking, credential theft, defacement, or the execution of arbitrary client‑side actions. The weakness is categorized as CWE‑79. The impact is confined to affected WordPress sites that use the vulnerable plugin, but the effects can extend to all site users who view the compromised content.

WordPress sites using OTWthemes Popping Sidebars and Widgets Light plugin with versions from the lowest available up to and including 1.27 are affected. Upgrading or removing the plugin eliminates the vulnerability.

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The CVE does not state the required attacker level, but it is inferred that an attacker would need some level of control over the plugin’s administrative interface to inject malicious payloads that are stored and rendered. Once stored, the bad script runs in the browsers of all users who view the affected content. The vulnerability is not listed in CISA’s KEV catalog.