This flaw allows a type of cross‑site scripting where malicious script code can be injected into the browser session of a visitor when a URL or a page served by the SEO Friendly Images plugin is loaded. The vulnerability arises from the plugin’s failure to neutralize user input during page rendering, a classic input validation weakness identified as CWE‑79. If exploited, a malicious payload could steal credentials, hijack sessions, deface the site, or execute arbitrary client‑side actions, compromising the confidentiality and integrity of the user’s browser environment.

Vladimir Prelovac’s SEO Friendly Images WordPress plugin, versions from the earliest release up to and including 3.0.5, are impacted. Any installation of the plugin below 3.0.6 is considered vulnerable.

With a CVSS score of 6.5 the vulnerability is considered moderate in severity, while an EPSS score of less than 1% indicates that it is unlikely to be frequently exploited in the wild. The flaw is not listed in the CISA KEV catalog. The attack requires user interaction with a victim’s browser, typically via a crafted link or embedded content that triggers the plugin’s processing of unsanitized input. As it is a DOM‑based exploitation, the attacker needs the victim to load the insecure page in order to trigger the malicious script.