The plugin suffers from an improper neutralization of input during web page generation that permits arbitrary JavaScript to be stored and subsequently executed in the browsers of site visitors. This stored XSS flaw, identified as CWE‑79, enables an attacker to inject malicious scripts that can steal credentials, deface content, or redirect users to malicious sites. The vulnerability affects all versions of the Cool Tag Cloud plugin up to and including 2.29, with no earlier known fix. Because the script is executed in the user’s browser, it does not directly compromise server integrity but poses a significant risk to the confidentiality and integrity of user data.

This flaw impacts WordPress sites that have installed the WPKube Cool Tag Cloud plugin version 2.29 or earlier. Administrators of any WordPress installation running a vulnerable instance of Cool Tag Cloud should verify the installed plugin version and upgrade if necessary.

The CVSS score of 6.5 reflects a moderate severity with potential user‑targeted impact. The EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an attacker submitting malicious input through the plugin’s interface, which the plugin then stores and renders on the site. If successful, the executed script runs with the privileges of the visiting user’s browser context.