Stored cross‐site scripting arises when unsanitized input is rendered into web pages. The Front End Users plugin contains a flaw that fails to neutralize user‑supplied data displayed on the site, allowing attackers to inject arbitrary JavaScript. If an attacker succeeds, the injected script runs in the context of any visitor's browser, potentially stealing session cookies, defacing content, or executing further actions on behalf of the user.

The vulnerability impacts WordPress sites that have the Rustaurius Front End Users plugin installed, versions up to and including 3.2.30. Sites running any earlier release or any newer version are considered unimpacted. Site administrators should verify the plugin version and ensure it is not within the affected range.

The CVSS score of 6.5 reflects the medium severity of a stored XSS that requires a user to visit a crafted page. The EPSS is reported as less than 1%, indicating a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA's KEV catalog. Nonetheless, attackers who find a victim browsing the affected site could easily inject malicious scripts, so the risk remains real for any exposed site. Based on the description, it is inferred that the likely attack vector is through the plugin's front‑end user interface, where user input is accepted and later displayed without proper escaping.