This vulnerability permits stored cross‑site scripting in the Bridge Core plugin for WordPress. The flaw arises because user input is not properly neutralized before being rendered on web pages. An attacker can store malicious script through the plugin interface, causing that script to execute in the browsers of other visitors. This can lead to session hijacking, defacement, or phishing attacks, compromising confidentiality, integrity, and authenticity of the site.

WordPress sites that use the Bridge Core plugin version 3.3.0 or earlier are affected. The plugin has no known basis that beta versions exist; any deployment under the v3.3.x major release before 3.3.1 is vulnerable. The vendor is the WordPress plugin author NotFound.

The CVSS score of 6.5 places the issue in the medium severity band. The EPSS score of less than 1% indicates that historically the likelihood of exploitation is low. The vulnerability is not yet listed by CISA in its KEV catalog. Attackers could exploit it by creating or editing content within the plugin, thereby injecting script that runs whenever other users view affected pages. The likely attack vector is a web interface that accepts user‑generated data, and the vulnerability requires the ability to input data that is subsequently displayed without sanitization.