The vulnerability enables an attacker to embed malicious scripts that are stored in the WordPress database and executed when a page containing the content is viewed by any user. This form of Stored Cross‑Site Scripting (XSS) can be used to steal user credentials, hijack sessions, deface the site, or distribute malware. The weakness is identified as CWE‑79 – Improper Neutralization of Input During Web Page Generation. The impact is confined to the confidentiality of user data and the integrity of the web application’s output content.

The affected product is LeadQuizzes, a WordPress plugin developed by yazamodeveloper. All releases up to and including version 1.1.0, and any preceding releases, are vulnerable. No specific vendor or product versions beyond the 1.1.0 bound are mentioned, so any installation running a version equal to or earlier than 1.1.0 is impacted.

The CVSS score for this issue is 6.5, which reflects a moderate risk level. The EPSS score is stated as less than 1%, implying a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, further indicating it is not a widely known or actively exploited weakness at the time of reporting. Attacks would most likely occur through user‑controlled input fields in the LeadQuizzes interface, a context not protected by proper sanitization, allowing the stored script to execute when rendered. The lack of a high‑severity score and low exploitation probability suggest that while the flaw is potentially damaging, widespread practical exploitation is currently unlikely. Nonetheless, because XSS can lead to significant user data theft and site compromise, administrators should address the issue promptly.