The vulnerability in the WordPress Custom Top Bar plugin is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that persist in stored data. This stored XSS flaw can lead to browser-based attacks such as session hijacking, defacement, or credential theft when authenticated or unauthenticated users view affected pages. The weakness is identified as CWE-79 and directly compromises confidentiality, integrity, and availability of the website’s front‑end functionality.

Suman Biswas Custom Top Bar plugin versions up to and including 2.1 are affected. The plugin is used within WordPress installations that embed a custom top‑bar interface. There is no indication that other third‑party products are impacted.

The CVSS score of 7.1 indicates a high severity for stored XSS. However, the EPSS score is below 1 %, suggesting that exploit attempts are uncommon. The vulnerability is not listed in the CISA KEV catalog, further implying a lower exploitation likelihood in the wild. Nonetheless, because stored XSS can be triggered via normal user actions (such as posting a comment or configuring the plugin), the attack vector is plausible for remote attackers who can submit form data to the site. The likely attack path involves submitting malicious content through the plugin’s configuration form, which the site then renders without adequate escaping.