This vulnerability is an instance of improper neutralization of input during web page generation, specifically a stored cross‑site scripting (XSS) flaw that allows an attacker to persist malicious script payloads in the Easy FAQs plugin content. When a user views a page containing the compromised FAQ, the script executes in that user’s browser, potentially hijacking sessions, defacing the site, or defrauding users. The CWE classification for this weakness is CWE‑79. The threat exists because the plugin does not sanitize or escape input before storing or rendering it. The vulnerability is limited to the Easy FAQs plugin and does not affect the underlying WordPress core or other plugins directly.

The affected product is the Easy FAQs plugin developed by ghuger. All versions up to and including 3.2.1 are impacted. No specific sub‑version detail is listed; any user still on 3.2.1 or earlier is vulnerable.

The CVSS score is 6.5, indicating a medium severity. The EPSS score is reported as less than 1 %, suggesting the probability of exploitation at present is very low, and the vulnerability is not listed in the CISA KEV catalog. A likely attack vector involves an attacker who can submit or edit FAQ content—either an authenticated user with editor privileges or a compromised account—to inject a malicious script that is then stored and served to all visitors of the affected FAQ page. The requirement for attacker interaction limits the ease of exploitation, but once compromised it affects every viewer of the page.