A stored cross‑site scripting flaw in Mindshare Labs, Inc. WP Ultimate Search allows an attacker to inject malicious scripts that are permanently stored and rendered within the web page. The weakness is a classic CWE‑79 input validation issue, where user input is not properly neutralized before being embedded in HTML. If exploited, a victim could run arbitrary JavaScript in the context of the site, potentially stealing credentials, defacing content, or redirecting users to phishing sites.

The vulnerability affects the WordPress plugin WP Ultimate Search from Mindshare Labs, Inc., for all releases from the earliest available version up through 2.0.3. Any WordPress site that has this plugin installed and has not yet upgraded is at risk.

The CVSS base score of 6.5 indicates a moderate‑to‑high impact for the vulnerable plugin, while the EPSS score below 1% suggests exploitation is currently unlikely but not impossible. The flaw is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s input fields or administrative interfaces that accept unsanitized data, providing stored payloads that are later served to all site visitors. Authentication or administrative privileges may be required depending on the specific entry point, but the stored nature of the payload increases the threat to all users.