The Simple Select All Text Box plugin contains a stored cross‑site scripting flaw that arises from improper neutralization of input during web page generation. An attacker can inject malicious script into the plugin’s data store, causing any visitor to the site to execute that script in the context of the affected WordPress installation. This vulnerability is rooted in CWE‑79 and enables the attacker to compromise user sessions, steal credentials, deface content, or redirect users to malicious sites.

The vulnerability affects the Simple Select All Text Box plugin developed by Garrett Grimm. All released versions from the earliest available up to and including version 3.2 are impacted. No later versions are known to contain the flaw.

The CVSS base score of 6.5 indicates moderate severity and moderate exploitation complexity for this XSS vulnerability. The EPSS score is below 1%, indicating historically low exploitation frequency. The flaw is not listed in the CISA KEV catalog, suggesting limited public exploitation. The likely attack vector is through the plugin’s input interface, where malicious data can be stored and then rendered unescaped when pages are generated. Because the flaw is stored, successful exploitation requires an initial injection of payloads via the plugin’s form or data entry points, but once stored it can affect all site visitors.