The Sticky Content plugin for WordPress (bPlugins Sticky Content) contains a stored cross‑site scripting vulnerability due to improper neutralization of input during web page generation. An attacker can inject malicious scripts that are stored and later rendered in the plugin’s output, potentially enabling defacement, cookie theft, or session hijacking on sites that load the vulnerable plugin. This weakness corresponds to CWE‑79. The likely attack vector is injection via the plugin’s configuration interface, which requires administrative privileges.

The flaw affects all installations of the Sticky Content plugin from its earliest release up to and including version 1.0.1. Users of any WordPress site that have not updated beyond 1.0.1 are vulnerable.

The vulnerability has a CVSS score of 6.5, indicating a medium level of severity. Its EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Since the attack requires the injection of malicious content into the plugin’s stored data, it typically needs administrative privileges or control over the plugin’s configuration interface, but once a payload is stored it is executed for all site visitors who load the affected content. The likely attack vector is injection of malicious content through the plugin’s configuration interface, which requires administrative privileges. The risk therefore remains moderate but could result in significant compromise if exploited.