This vulnerability is a stored cross‑site scripting flaw that allows malicious input to be stored by the DZS Ajaxer Lite plugin and subsequently rendered in the browsing context of any user visiting a page that incorporates that data. The improper neutralization of input can lead to session hijacking, credential theft, defacement of the site, and execution of arbitrary code within the visitor’s browser, compromising confidentiality, integrity, and reputation. The weakness is a classic example of CWE‑79, where user‑controlled data is not properly escaped before being included in generated content.

The flaw affects the WordPress DZS Ajaxer Lite plugin version 1.04 and earlier, distributed by digitalzoomstudio. Any WordPress installation that has one of these versions installed is vulnerable; compatible platforms are PHP‑based WordPress sites running the plugin through its latest stable build.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. While the CVE description states that stored XSS can be achieved, the specific method by which an attacker would inject malicious payloads is not detailed. Based only on the description, the likely attack vector requires the attacker to place malicious input that the plugin stores and later renders without proper escaping; this could be accomplished if the attacker has access to a form or an administrative interface that accepts unsanitized data. Because no additional constraints or technical details are provided, we cannot confirm whether remote co‑operation or privileged access is required, but the presence of a stored XSS flaw generally allows exploitation by users who can influence stored content that is later displayed.