The affected component is a WordPress plugin that fails to neutralize user input before rendering it in the browser, resulting in a DOM‑based Cross‑Site Scripting flaw. When exploited, an attacker can inject and execute arbitrary JavaScript within the context of the site as seen by visitors, potentially stealing session data, hijacking accounts, defacing content, or redirecting users to malicious locations. The weakness stems from improper input sanitization in the page generation logic.

The vulnerability exists in the PublishPress Post Expirator WordPress plugin for all versions up to and including 4.9.4. Any WordPress installation that has this plugin installed and whose version has not been upgraded beyond 4.9.4 is susceptible. No other vendors or product lines are identified in the available data.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests that the vulnerability is unlikely to be actively exploited in the wild. The CVE is not listed in the CISA KEV catalog. The attack path is inferred: a malicious actor may craft a URL or embed malicious input that is reflected by the plugin in the browser, whereby an unsuspecting site visitor’s browser executes the injected script. This exploitation requires no privileged access or authentication, but does require a visitor to process a page that includes the vulnerable content. The overall risk is heightened for sites with broad public traffic or those handling sensitive user interactions.