This vulnerability arises from improper neutralization of user input during web page generation and permits a stored cross‑site scripting attack. An attacker can inject malicious JavaScript that later executes in the browsers of any user who views the affected page, enabling session hijack, defacement, or other client‑side compromises. The weakness is classified as CWE‑79 and is characterized by the injection of untrusted data that is subsequently rendered without adequate escaping.

The issue affects the WordPress plugin alordiel Dropdown Multisite selector in all releases up to, but not including, version 0.9.4. The plugin is used to provide a dropdown selector for multisite WordPress installations.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog, indicating no publicly documented exploits. Likely exploitation would involve an attacker submitting malicious content through the plugin’s storage mechanism—most plausibly via the administrator interface or a public-facing form—so that the stored payload is later displayed to site visitors. While the attack vector is predictable, the low EPSS and absence from KEV reduce the immediacy of risk, though the potential impact on users remains significant.