The WP Cookie plugin incorporates a stored cross‑site scripting weakness that allows attackers to inject malicious scripts into pages that the plugin renders. An exploited instance can lead to theft of browser cookies, session hijacking, or delivery of arbitrary code to site visitors. The flaw is caused by an improper neutralization of input during web page generation, and is formally classified as CWE‑79.

The vulnerability impacts the WP Cookie plugin developed by aazztech for WordPress installations. All releases up to and including version 1.0.0 are affected. No higher or separate product line is mentioned in the available data.

The CVSS base score of 5.9 indicates a medium severity risk. The EPSS score is below 1 %, implying the likelihood of active exploitation is low at this time, and the vulnerability is not listed in CISA’s KEV catalogue. The likely attack vector is that attackers would need access to a page rendered by the plugin, either through a crafted input or by presenting the page to a victim, though this is inferred from the stored‑XSS nature of the flaw. Real‑world exploitation would require the malicious script to run in the victim’s browser context, which can then compromise session data or perform further actions.