The vulnerability exists because the NS Maintenance Mode for WP WordPress plugin through version 1.3.1 accepts input in certain settings without sanitising or escaping it. An administrator can insert malicious script that is stored in the database and rendered in the front‑end when the site is viewed, even when the unfiltered_html capability is disabled in a multisite environment. This allows the attacker to perform stored cross‑site scripting, which could lead to session hijacking, credential theft, or the execution of arbitrary code in the context of authenticated users.

WordPress sites running the NS Maintenance Mode for WP plugin version 1.3.1 or earlier. The plugin is installed on any WordPress installation, including multisite networks. Administrators can trigger the flaw through the plugin’s settings interface, and the malicious script is persisted in the database for all visitors.

The CVSS score of 3.5 indicates a low severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. This stored cross‑site scripting vulnerability requires that an attacker has administrative privileges to inject malicious content via the plugin’s settings interface. It is not listed in CISA’s KEV catalog. Once the attacker achieves this injection, the stored script will be delivered to all visitors, providing a persistent client‑side compromise.