The vulnerability arises from improper neutralization of user input during web page generation, allowing attackers to store malicious scripts that are later displayed to site visitors. This stored XSS flaw can lead to session hijacking, cookie theft, or the execution of arbitrary code within the browser context of authenticated or unauthenticated users. The weakness is identified by CWE‑79 and carries a CVSS score of 7.1, indicating a high impact if exploited.

The flaw exists in the WordPress Album Reviewer plugin, version 2.0.2 and earlier, released by the vendor ed atrero. All instances of the plugin that have not been updated to a newer release are potentially vulnerable.

The EPSS score is below 1 percent, suggesting that the probability of automated exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the vulnerability permits stored malicious content that can be displayed to any visitor, an attacker who can submit content—perhaps via a publicly writable review form—could embed JavaScript that executes in the browsers of site users. The attack vector is inferred to be via the plugin’s data entry points, where form data is saved without proper sanitization and later rendered directly in the page.