A Stored Cross‑Site Scripting vulnerability exists in the Ajax WP Query Search Filter WordPress plugin. Improper neutralization of input during web page generation allows attacker‑controlled data to be stored and later rendered without adequate escaping. The resulting impact enables arbitrary JavaScript execution in the context of any user who views the affected content, potentially leading to session hijacking, defacement or credential theft.

The vulnerability affects the WordPress plugin Ajax WP Query Search Filter for all versions up to and including 1.0.7. The affected vendor is TC.K and the plugin is used on any WordPress site that has installed a vulnerable version of Ajax WP Query Search Filter.

The vulnerability has a CVSS v3 score of 6.5, indicating moderate severity. The EPSS score of <1% reflects a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker submitting malicious input via the plugin’s search query form or other data entry points that are stored and later displayed. Successful exploitation requires that the attacker be able to inject data that is retained; this typically requires authentication to the WordPress site or exploitation of an unauthenticated input mechanism.