Improper neutralization of input during web page generation enables attackers to store malicious scripts that are later served to site visitors. The stored XSS flaw, identified as CWE‑79, allows an attacker to embed arbitrary JavaScript into pages generated by the Client Showcase plugin. When a legitimate user views the affected content, the browser executes the injected script, which can lead to cookie theft, session hijacking, defacement or delivery of malware. Due to the stored nature of the payload, the impact can persist across sessions and affect any user who views the compromised content.

The vulnerability affects the Client Showcase plugin developed by dxladner. All versions from the earliest release through version 1.2.0 are vulnerable. Users running the plugin in WordPress installations that have not upgraded beyond current 1.2.0 are impacted.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. The likely attack vector is via the plugin’s form fields or any interface that accepts user‑supplied content, which the plugin stores without proper sanitization. An attacker can simply embed a malicious payload into the stored data; when the data is later rendered by the plugin, the payload will be executed in the browsers of all users who view that content.