The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts via DOM manipulation. This leads to cross‑site scripting that can execute arbitrary JavaScript when affected users view pages rendered by the plugin. The weakness is captured as CWE‑79. No details about remote code execution are provided; impact is restricted to compromise of local user session and potential data exfiltration or defacement. The flaw is limited to the Penci Podcast plugin version <=1.7, and it is a DOM‑based XSS rather than a server‑side injection.

The affected product is WordPress Penci Podcast plugin provided by PenciDesign. Versions from the earliest release through version 1.7 are vulnerable; no specific version numbers are listed beyond the upper bound. Security‑aware administrators should ensure that the plugin is updated to a later release where the issue is resolved. The plugin runs within the WordPress environment on any server that hosts a WordPress site and uses the Penci Podcast add‑on.

The CVSS score of 6.5 indicates a medium severity. The EPSS probability is very low (<1%), and the vulnerability is not listed in the CISA KEV catalog, implying no known exploitation in the wild. However, because the flaw permits execution of arbitrary JavaScript in the context of a legitimate user, it could be leveraged to steal cookies, perform phishing, or inject further malware. The likely attack vector involves a user visiting a page containing a crafted URL or a malicious link that triggers the plugin’s rendering logic; no authentication or privilege escalation is required. Given the low EPSS, the risk is moderate, but site owners should still address it promptly.