The WP Delete Post Copies plugin contains insufficient input sanitisation and output escaping in its admin settings, allowing an authenticated user with administrator‑level permissions and higher to store arbitrary scripts. This results in a CWE‑79 type stored cross‑site scripting vulnerability. When a page containing the injected content is viewed, the script will execute in the context of the page. The vulnerability therefore provides a path for a stored cross‑site scripting attack that can compromise the integrity and confidentiality of user sessions. Based on the description, it is inferred that the script execution could be used to modify page contents or extract data from the visitor’s browser.

The flaw affects WordPress installations that use WP Delete Post Copies by etruel, version 6.0.2 or earlier. It is limited to multi‑site deployments and only when the unfiltered_html capability has been disabled. Only users with administrator or higher privileges can exploit the weakness.

The CVSS score of 4.4 indicates a moderate severity level. The EPSS score of less than 1% suggests that overall exploitation probability is low, and the vulnerability is not listed in CISA’s KEV catalogue. Because the attack requires authenticated administrator access, the practical attack surface is constrained to sites where such privileged accounts exist. Once the payload is stored, any visitor to the affected page will receive the malicious script, allowing the attacker to affect a broad set of users if the page is widely accessed.