The Better Section Navigation Widget plugin for WordPress contains an improper neutralization of input during web page generation vulnerability that allows stored cross‑site scripting. All content inserted via the plugin is rendered without adequate sanitization, enabling an attacker to inject malicious JavaScript that executes in the browsers of anyone who views the affected page. The stored XSS could lead to session hijacking, credential theft, or defacement, thereby compromising the confidentiality and integrity of site users.

Affected are installations of the plugin from any version prior to and including 1.6.1, as distributed by cornershop under the product name Better Section Navigation Widget. No specific sub‑features are mentioned, so all versions up to and including 1.6.1 are vulnerable.

The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to add or modify content through the plugin’s administrative interface, after which the malicious script is served in future page views. Because the flaw is stored, it affects all site visitors who view the compromised content; authentication is not required to trigger the payload.