The Graceful Email Obfuscation plugin for WordPress (up to version 0.2.2) contains a stored XSS flaw caused by failure to neutralize user input. An attacker who can introduce data into the plugin’s email or configuration fields can embed malicious JavaScript; this code is subsequently rendered in the browser when affected pages are viewed. The vulnerability is classified as CWE‑79 and is assigned a CVSS score of 6.5, indicating moderate severity.

Any WordPress site that installs the Graceful Email Obfuscation plugin by nicholaswilson with a version of 0.2.2 or earlier is impacted. The issue does not affect releases beyond 0.2.2, but any installation still using a vulnerable version remains at risk until it is updated to a non‑vulnerable release.

The EPSS score of less than 1% suggests that exploitation events are currently rare, and the flaw is not listed in the CISA KEV catalog. Nonetheless, because the stored payload executes in visitors’ browsers, the potential impact remains significant. An attacker who can supply input to the vulnerable fields may insert code that runs for every user who views a page containing the stored data, potentially exposing cookies or session data. The risk is therefore considered moderate to high, warranting timely remediation.