The OwnerRez API plugin contains an Improper Neutralization of Input During Web Page Generation (Cross‑Site Scripting) flaw that allows attackers to inject malicious scripts into stored content. According to the description, this leads to a stored XSS vulnerability affecting any user interface that renders the compromised input. The resulting compromise can enable session hijacking, defacement, or transmission of further payloads, mapping to CWE‑79.

The weakness is present in the OwnerRez API plugin for all releases from the earliest known version up to and including 1.2.1. No higher version information is supplied, so any site running 1.2.1 or earlier is susceptible. The product is the OwnerRez API plugin integrated into WordPress installations.

The CVSS base score is 6.5, indicating moderate severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker could exploit the flaw by inserting malicious payloads through any input field that the plugin processes and persists, then coercing site visitors to execute the script when the content is displayed. Since the plugin is a WordPress component, input is typically available to authenticated or optionally unauthenticated users, but the stored nature implies the attack vector is likely from an authenticated operator or contributor who uploads or edits content on the site. No public exploit code is documented.