Impact
The plugin contains an unauthenticated Cross Site Scripting flaw (CWE‑79) that enables an attacker to inject arbitrary JavaScript into the web pages served by WordPress sites. The vulnerability originates from insufficient input sanitization of user‑supplied data. An attacker can craft a request that executes arbitrary code in the context of the victim’s browser, potentially exfiltrating session cookies, defacing content, or conducting phishing attacks. The effect is a breach of confidentiality, integrity, and availability of the affected website and its users.
Affected Systems
WordPress installations that have the perfmatters plugin installed at version 2.6.4 or older are impacted. This includes every site that has not yet applied the 2.6.5 upgrade. The vendor is Perfmatters. No other WordPress plugins or core versions are mentioned.
Risk and Exploitability
The CVSS score of 7.1 indicates a high impact and moderate complexity vulnerability. There is no EPSS score available, so the current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploits in the public domain. The description indicates that the defect is unauthenticated and it is inferred that an attacker can provoke the vulnerability by visiting a crafted URL or submitting malicious form input, making it accessible to attackers without special credentials.
OpenCVE Enrichment