The vulnerability resides in DotNetNuke's handling of module headers and footers, enabling a content editor with write access to embed malicious scripts that are subsequently rendered for all other users who view the page. This cross‑site scripting flaw can lead to the execution of arbitrary code in victims' browsers, resulting in credential theft, phishing, or the compromise of the hosted site. The weakness is documented as CWE‑79, indicating an unchecked ability to inject and execute script content.

The issue affects the DnnSoftware Dnn.Platform product. Any installation from version 9.0.0 up to, but not including, 9.13.10 is vulnerable, as are any releases of the platform before version 10.2.0. Versions 9.13.10 and 10.2.0 contain the fix, and later releases are presumed unaffected.

The CVSS score of 6.8 denotes a moderate severity. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild, and the vulnerability does not appear in CISA's KEV catalog. Exploitation requires a user with content‑editing privileges to inject script tags into module header or footer fields; once injected, the payload executes for all users who view the affected page. Given the necessity of privileged access and the relatively high effort compared to remote code execution, the overall risk is moderate but non‑negligible for sites that allow widespread editor access or are sensitive to data integrity and confidentiality concerns.