This vulnerability is a stored cross-site scripting (XSS) flaw that arises from the plugin’s failure to properly neutralize user-supplied input before rendering it within web pages. Because the content is persisted, an attacker can inject malicious script that executes in the browsers of any visitor who views the affected pages, potentially enabling session hijacking, credential theft, or defacement of the site. The weakness is an example of improper input neutralization, classified as CWE‑79.

The affected product is the WordPress plugin Email Address Security by WebEmailProtector from the vendor dsrodzin. Vulnerable across all releases up to and including version 3.3.6. No other vendors or versions are listed as impacted.

The CVSS score of 6.5 indicates a moderate severity for a stored XSS flaw. The EPSS score is less than 1%, suggesting a low current probability of exploitation, though this does not eliminate risk. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been observed or leveraged in known attacks. Because the flaw allows arbitrary code execution in users’ browsers, the primary attack vector is via a web page that processes stored user input; an attacker typically requires a way to encode input into a stored payload, such as through a form or comment system that the plugin processes. Based on the description, it is inferred that the attacker must have a means to inject the payload into stored content that the plugin subsequently displays.