The ReverbNation Widgets plugin implements a form of stored XSS that allows an attacker to submit script code that is then rendered in the page source. This flaw stems from a failure to neutralise user input before inserting it into the page, as identified by the CWE‑79 classification. If exploited, the attacker could execute arbitrary code within the browser of any visitor to the site, potentially leading to session hijacking, credential theft, defacement, or the loading of additional malicious payloads. The vulnerability does not appear to provide direct system access, but it can compromise confidentiality and integrity of user sessions, and it can influence the availability of the site if an attacker swallows all traffic with malicious scripts.

WordPress sites running the ReverbNation Widgets plugin version 2.1 or earlier are affected. The issue covers all releases from the initial version through the latest 2.1 release, which means any deployment of those versions must be examined. The plugin is supplied by reverbnationdev and the name ReverbNation Widgets is used in the CNA metadata.

The CVSS score of 6.5 indicates moderate overall risk, while the EPSS of less than 1% shows a very low but non‑zero chance of widespread exploitation at the moment. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation would require an attacker to have the ability to send a crafted input that is stored by the plugin – typically this would be through a front‑end or administration interface where the plugin accepts user‑generated content. Once stored, the script executes in the browser of any user who views the affected page, offering a classic stored XSS attack vector.