The vulnerability is a classic stored XSS flaw that allows an attacker to inject malicious script into the plugin’s output. Because the input is not properly sanitized when generating web pages, any script the attacker enters can be executed in the browser of any visitor to the site. The exploitation would allow an attacker to steal session cookies, perform phishing attacks, or load additional malicious content, thereby compromising the confidentiality and integrity of users and the overall site integrity. The weakness is classified as CWE‑79, which confirms that the root cause is insufficient input sanitization.

The flaw exists in the WP Virtual Assistant plugin developed by Loopus, affecting all versions from the initial release up through version 3.1 inclusive. No farther version information is provided, so any installation of the plugin at or below 3.1 is potentially vulnerable.

The CVSS score of 7.1 indicates a medium‑to‑high severity vulnerability. The EPSS score of < 1% shows that the overall exploitation probability is low, and the zero‑KEV status confirms that no known real‑world exploits have been observed yet. However, the attack vector is inferred to involve untrusted input via the plugin’s interface, meaning that anyone who can submit data to the assistant is potentially able to inject code. Once injected, the code runs with the privileges of the site visitor, creating a significant threat landscape for compromised users and administrators alike.