The FluentAuth plugin contains a stored cross‑site scripting flaw that allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript through the fluent_auth_reset_password shortcode. The plugin does not sanitize or escape user‑supplied attributes, enabling the stored payload to run on pages that include the shortcode. Based on the description, the attack vector is the insertion or editing of page content via the WordPress editor, which stores the malicious shortcode attributes in the database.

Any WordPress site that has TechJewel’s FluentAuth – The Ultimate Authorization & Security Plugin installed and using a version up to and including 2.0.3 is affected. The vulnerability requires the plugin’s shortcode to be present in a post, page or widget and a user account with Contributor privilege or higher. Sites that have removed the shortcode or disabled it are not vulnerable.

The CVSS score of 6.4 places the severity at moderate. The EPSS score of < 1 % suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, because the required permissions are granted to many contributors and because the flaw allows arbitrary script execution, a site with an active contributor account is a feasible target. Attackers would create or edit content containing the vulnerable shortcode and supply malicious attributes that are stored and executed for all visitors of that content.