Zack Katz Links in Captions plugin versions up to 1.2 contain an improper neutralization of input during page generation, allowing attackers to inject and store malicious script code. This stored XSS flaw is linked to CWE‑79 and can give an attacker the ability to execute arbitrary JavaScript in the browsers of anyone who views a page containing the vulnerable caption. The impact is limited to the scope of user browsers and does not provide direct server‑side code execution.

Vulnerable installations include WordPress sites running the Links in Captions plugin, any version from the initial release through 1.2. Site owners should verify whether they use this plugin and note that all releases preceding 1.3 are affected. The vendor, Zack Katz, lists the affected range as "n/a through <= 1.2", meaning the issue is present in every available release up to, but not including, 1.3.

The CVSS base score of 6.5 reflects moderate risk; the EPSS score is under 1 % indicating historically low exploitation probability, and the vulnerability is not currently listed in CISA’s KEV catalog. Attackers could exploit the flaw by creating or editing a caption that contains crafted script content, which is then stored in the database and rendered into every user’s browser. The lack of server‑side input validation permits the stored payload to persist until the plugin is updated or removed.