ContentBot AI Writer, a WordPress plugin, contains an improper neutralization of input during web page generation that allows attackers to inject malicious scripts that persist in stored content. This stored XSS flaw can be leveraged to steal user credentials, hijack sessions, deface the site, or serve additional malware to visitors. The weakness is a classic CWE‑79 input verification defect that compromises client‑side confidentiality and integrity.

WordPress installations running ContentBot.ai ContentBot AI Writer plugin version 1.2.4 or earlier are vulnerable. The flaw applies to any instance where the plugin’s content or comment fields accept untrusted input without proper sanitization.

The CVSS base score of 6.5 indicates a moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation at the moment. It is not currently listed in the CISA KEV catalog. The likely attack vector is via the WordPress admin interface or front‑end forms that submit data to the plugin; an attacker may use these inputs to store malicious scripts that render in browsers of site visitors. Without an active exploit, the risk remains moderate, but the presence of a stored XSS endpoint means that any authenticated user could insert malicious payloads that affect all recipients.