The WP 404 Auto Redirect to Similar Post plugin for WordPress is susceptible to Stored Cross‑Site Scripting because it does not properly sanitize or escape input entered through its admin settings. An attacker who logs in with administrator privileges or higher can inject arbitrary JavaScript into a page that will execute whenever any user opens that page, which could be used to compromise the browser environment of the victim. The description does not list specific consequences, but typical effects of such stored XSS include credential theft, defacement, or session hijacking; this inference is based on general XSS behavior. The vulnerability is a CWE‑79 type weakness and is limited to user authentication contexts that have write access to the plugin’s configuration, not to unauthenticated web traffic.

WordPress sites running WP 404 Auto Redirect to Similar Post versions 1.0.5 or older on a multi‑site network, particularly where the site has disabled the unfiltered_html capability. Sites with standard single‑site installations or with unfiltered_html enabled are not affected.

With a CVSS score of 4.4 the risk level is moderate. The EPSS score of less than 1% indicates that exploitation is presently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires an authenticated administrator or higher; the attacker must first log into the site and then use the plugin’s settings page to inject malicious code. Successful exploitation would allow execution of arbitrary scripts in the browser context of any user who views the affected page.