This vulnerability arises from improper input neutralization in the Local Search SEO Contact Page plugin, enabling stored cross‑site scripting. An attacker who can inject data through the plugin’s input fields can store malicious script code that will be rendered in subsequent page requests, compromising the integrity and confidentiality of the site’s visitors. The weakness is identified as CWE‑79.

The affected product is the Local Search SEO Contact Page plugin developed by ExpertBusinessSearch. Versions from the earliest releases through 4.0.1 are impacted. No specific patch version is listed in the data available.

The CVSS score of 6.5 classifies the issue as moderate severity, and the EPSS score of less than 1% indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker submitting malicious payloads through the plugin’s front‑end input forms or administrative data entry, which are then stored in the database and served to all users when the pages are rendered. While the description does not explicitly state the exact entry points, it is inferred that the plugin’s contact or search page forms are the primary vectors for the stored XSS injection.