Improper neutralization of user input during web page generation allows an attacker to store malicious JavaScript that is later rendered on the victim's browser. The affected Sticky Button plugin can embed payloads that execute under the context of any user who views the impacted page, potentially stealing session cookies, defacing content, or redirecting traffic. This stored cross‑site scripting flaw corresponds to CWE‑79 and carries confidentiality, integrity, and availability impact depending on the victim's role.

All releases of the Sticky Button plugin by Asif Shakeel up to and including version 1.0 are vulnerable. The flaw is present in the plugin’s default installation and even in sites that perform minimal configuration. Sites that rely on this plugin for a call‑to‑action button or widget should treat all such installations as affected until the plugin is upgraded beyond version 1.0.

The CVSS score of 7.1 indicates a high‑severity risk, while an EPSS score of less than 1% suggests a relatively low likelihood of automated exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely target sites with exposed plugin interfaces, exploiting the stored XSS by inserting malicious JavaScript that is later served to site visitors. Because the payload is stored, repeat exploitation is possible without repeated input, making the risk persistent once injection succeeds.