Improper Neutralization of Input During Web Page Generation has been identified in The Jake Group WP Less Compiler plugin, enabling attackers to inject malicious scripts that persist in the website’s content. The vulnerability allows stored cross‑site scripting, meaning that injected code can be executed whenever the compromised content is rendered to any site visitor, potentially exposing user credentials or allowing session hijacking. The weakness is classified as CWE‑79 and is not limited to a single user but can affect all users who view the impacted pages.

WordPress sites that have installed the WP Less Compiler plugin version 1.3.0 or earlier. The plugin has been released by The Jake Group; no other vendors are affected according to the CNA information.

The CVSS score of 7.1 indicates a medium‑to‑high severity assessment. The EPSS score is below 1 %, suggesting that widespread exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, attackers who can attain in‑process control or manage comments and other content entry points could leverage the stored XSS to run arbitrary client‑side code. The likely attack vector is through the plugin’s source handling, which processes user input that is later rendered without adequate sanitization.