Custom Smilies, a WordPress plugin developed by Crazyloong, contains an Improper Neutralization of Input During Web Page Generation flaw, allowing attackers to store malicious script payloads through user inputs. The stored cross-site scripting can be triggered when a page that renders smilies is viewed, enabling attackers to execute arbitrary JavaScript in the victim’s browser, leading to session hijacking, defacement, or credential theft.

WordPress sites running the Custom Smilies plugin version 2.9.2 or earlier are affected. This includes any installation that has not migrated to a later release that contains the patch for the XSS vulnerability. The plugin is a third‑party component on WordPress, so only sites that have integrated it are at risk.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of <1% suggests a low probability of current exploitation. The vulnerability is not yet listed in the CISA KEV catalog. Attackers can exploit the flaw by submitting malicious JavaScript through the plugin’s input fields, which the plugin stores without proper sanitization and later injects into pages viewed by users. Successful exploitation would only require a user to visit a page that renders the stored smilies; no additional network access or privileges are needed.