The MailerLite – Signup forms (official) plugin for WordPress contains a stored cross‑site scripting flaw that allows inject arbitrary JavaScript via the form_description and success_message parameters in plugin versions up to 1.7.16. Input filtering is insufficient and output escaping is omitted, which enables an attacker to embed a payload that is executed whenever anyone views a page that includes the stored data. This can lead to credential theft, session hijacking, site defacement, or the execution of malicious scripts on all visitor browsers. The vulnerability is classified as CWE‑79.

WordPress sites running the MailerLite – Signup forms (official) plugin, versions 1.7.16 and earlier, are affected. The flaw requires that the attacker has authenticated administrator‑level or higher access to submit the malicious form fields.

The CVSS score of 5.5 indicates a medium impact profile, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The flaw is not currently listed in the CISA KEV catalog, but attackers can exploit it once they acquire administrator credentials, after which the malicious script runs in the context of any site visitor. The attack vector is inferred to be via the plugin’s backend forms which are only accessible to authenticated administrators. Mitigation requires the removal of the vulnerability through an update or a workaround that properly sanitizes or escapes the stored content.