The CSS & JavaScript Toolbox plugin for WordPress is vulnerable to stored cross‑site scripting. The flaw arises from insufficient input sanitization and output escaping in the admin settings interface. An attacker who has administrator or higher privileges can inject arbitrary JavaScript in the values entered for the plugin's settings, which is then rendered on any page that invokes the plugin. This enables malicious code to run in the browsers of all users who view the affected page, potentially exposing credentials, defacing content, or facilitating further attacks.

WordPress sites that have installed wipeoutmedia’s CSS & JavaScript Toolbox plugin, in any version up to and including 12.0.5. The vulnerability is only exploitable on multi‑site networks and when the WordPress option unfiltered_html is turned off for administrator-level accounts.

The CVSS base score is 4.4 and the EPSS indicates a very low probability (< 1 %) of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. Nonetheless, exploitation requires only an authenticated admin account and can be achieved by updating the stored settings in the plugin’s UI, after which the malicious script executes automatically for every user who accesses a page that uses the plugin. Because it is limited to privileged users, the overall impact may be moderate, but the ability to run arbitrary code on the client side makes it a significant threat for sites relying on this plugin for styling or functionality.