The flaw is a stored cross‑site scripting vulnerability caused by improper neutralization of user input during page rendering. An attacker can inject malicious JavaScript that is persisted in the plugin’s database and executed in the browsers of any visitor who accesses a page containing the infected content, thereby compromising confidentiality, integrity, and enabling phishing, session hijacking, or data exfiltration. The weakness is identified as CWE‑79.

The vulnerability affects all installations of the WordPress Simplebooklet PDF Viewer and Embedder plugin on or before version 1.1.1. Site owners running these plugin versions on their WordPress sites are potentially exposed, with no further operating system specifics provided.

The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1 % denotes a low probability of active exploitation at present. An attacker must supply malicious input via the plugin’s data‑collection interface; the impact manifests only when a visitor loads a page that retrieves the stored payload, meaning the danger is confined to client‑side script execution rather than server‑side code execution. The flaw is not listed in CISA’s KEV catalog, yet site administrators should be aware that vulnerable sites could be compromised by unsuspecting visitors executing injected scripts.