The vulnerability is a stored cross‑site scripting flaw allowing attacker‑controlled input to be saved in the plugin’s data store and later rendered without proper neutralization. This can enable execution of arbitrary JavaScript within the context of any user who views the affected avatar content, potentially leading to data theft, session hijacking, or defacement.

The flaw affects the Author Avatars List/Block WordPress plugin developed by Paul Bearne in all releases up to and including version 2.1.23. Any WordPress installation that has this plugin installed and uses the avatar display functionality is potentially impacted.

The vulnerability has a CVSS score of 6.5, indicating moderate severity, while the EPSS score is less than 1%, implying a very low likelihood of exploitation at the time of analysis. The flaw is not listed in CISA’s KEV catalog. Likely attack vectors involve the plugin’s input fields that store avatar data, which are rendered without escaping. An attacker would need to inject malicious script via those fields and then entice users to view the affected content. No known public exploits have been reported, so the risk remains primarily theoretical until mitigated.