The vulnerability allows an attacker to store malicious scripts in the WordPress AI Preloader plugin, which are later rendered unsanitized into web pages. This leads to Stored Cross-site Scripting, enabling arbitrary JavaScript execution in the browsers of any user who views the affected content. The impact is primarily confidentiality and integrity of the user session, potentially allowing credential theft, session hijacking, or defacement of content. The weakness is a classic input validation flaw (CWE-79).

The affected product is the Atikul AI Preloader WordPress plugin, version 1.0.2 and older. Users running this plugin on any website are at risk.

The CVSS score of 5.9 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation attempts have not been widely observed, yet the fact that the vulnerability is stored XSS means that any content an attacker can persist in the plugin (such as widget settings or custom scripts) will be executed for all visitors. Because the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog, no mass exploit data is available, but the attack vector is web‑based and could be executed by an attacker who gains access to the plugin’s configuration or by any visitor to a site where malicious content has been stored by another compromised user. The risk to an organization depends on how many users are allowed to input content through the plugin and whether that data is displayed on public‑facing pages. Overall, while the likelihood of exploitation is low, the potential impact makes remediation important.