The EP4 More Embeds plugin for WordPress has an improper neutralization of input during web page generation, allowing a stored XSS flaw. A payload entered through the plugin’s content fields is persisted in the database and subsequently rendered inside the site’s pages without sanitization, potentially executing in a visitor’s browser. This weakness, identified as CWE‑79, can lead to theft of session cookies, defacement of pages, or delivery of malware to users.

The vulnerability is present in every release of the EP4 More Embeds plugin up to and including version 1.0.0, as released by developer Dave Lavoie. WordPress sites that have this plugin installed and active are affected, regardless of the site’s role or user base.

The CVSS score of 7.1 classifies this flaw as a high‑severity issue, while the EPSS score of less than 1 % indicates a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by injecting a malicious script via the plugin’s administrative interface; the payload is then served to any user who views the affected content, leading to client‑side compromise. Although the likelihood of attack appears minimal, the potential impact on privacy, integrity, and reputation warrants immediate remediation.