The Mosaic Generator WordPress plugin is vulnerable to stored cross‑site scripting through the "c" parameter because the input is not adequately sanitized and the output is not escaped. An attacker with Contributor‑level or higher can embed arbitrary JavaScript in a page that will run whenever a user views that page, potentially enabling data theft, session hijacking, or other malicious client‑side actions. This attack can compromise the confidentiality and integrity of users’ information without affecting availability directly.

The vulnerability affects the Mosaic Generator plugin released by odn, all versions up to and including 1.0.5, which is available for installation on WordPress sites. No specific patch version is listed in the data, but any installation of v1.0.5 or earlier is impacted.

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score is below 1%, suggesting that exploitation is expected to be rare. The vulnerability is not listed in the CISA KEV catalog, further implying no widespread active attacks are documented. Because the flaw is authenticated, an attacker must first obtain Contributor‑level or higher access to the site, which limits the threat scope to sites with compromised accounts or insufficient role management. The typical attack path involves logging in as a user with the necessary permissions, using the vulnerable "c" parameter to inject JavaScript, and waiting for other users to view the affected page.