The vulnerability is an improper neutralization of input during web page generation, which allows malicious scripts to be stored within the WordPress WP Biographia plugin’s data. The stored cross‑site scripting flaw (CWE‑79) can cause scripts to run in any user’s browser that views the affected content, potentially leading to session hijacking, credential theft, defacement, or the delivery of malware to visitors of the website. The CVSS score of 5.9 indicates that the impact is moderate, affecting confidentiality and integrity but not directly compromising availability of the host system.

The flaw affects the Vicchi WP Biographia WordPress plugin in all releases up to and including version 4.0.0. No other vendors or products are listed, and the vulnerability has no version range beyond the stated upper bound of 4.0.0.

The EPSS score is listed as less than 1 %, indicating a low probability of exploitation at present, and the vulnerability is not recorded in the CISA KEV catalog. Based on the description, it is inferred that an attacker must be able to submit or modify plugin‑stored data—for example by creating or editing a biography entry, or uploading media—to insert malicious code. The stored nature of the flaw means that once a payload is saved, it will be rendered to every visitor who accesses the entry, thus offering a wide attack surface once the plugin is installed on a site.