The vulnerability is a stored cross‑site scripting flaw in the Footnotes for WordPress plugin caused by improper neutralization of user input before rendering it on a web page. Malicious code injected into a footnote will execute in the browsers of any visitor who views the content, potentially allowing the attacker to hijack sessions, deface content, or run arbitrary scripts in the victim’s context.

All releases of the C. Johnson Footnotes for WordPress plugin from the first unspecified version through 2016.1230 inclusive are affected; any WordPress site containing the plugin on or before this version is vulnerable.

The CVSS score of 6.5 indicates medium severity, while an EPSS score of less than 1% suggests exploitation is unlikely yet still possible. The vulnerability is stored, meaning the malicious code remains present until the content is modified or the plugin is updated. The exploit requires the ability to create or edit footnotes, which may be limited to users with appropriate permissions; the description does not state this explicitly, but it is a reasonable inference based on how stored XSS typically operates. Attackers would submit malicious input through the plugin’s interface, and the code would then execute for all site visitors who load the affected footnote.