This flaw is an Improper Neutralization of Input During Web Page Generation, which can be abused to inject malicious scripts that are rendered when a page built by the HTML Forms plugin is viewed. The stored nature of the payload means the attacker only needs to submit the data once. Successful exploitation results in arbitrary client‑side code execution; the attacker can deface site content, hijack user sessions, or exfiltrate data that the user can access.

Link Software LLC’s HTML Forms WordPress plugin is affected, with vulnerability present in all releases up to and including version 1.5.1. Users running any copy of the plugin 1.5.1 or earlier on their WordPress sites should consider upgrading to the latest release, which removes the insecure handling of form inputs.

The CVSS base score of 7.1 indicates a medium‑high impact, but the EPSS is below 1% – the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of active exploitation. The likely attack vector is local or authenticated, because the attacker must submit form data that will later be rendered; an unauthenticated user could likely inject content that an administrator or other visitor later views. Given these factors, administrators should prioritize patching.