Improper neutralization of user input during web page generation allows an attacker to store and subsequently render malicious script code in stored outputs, resulting in a stored cross‑site scripting (XSS) vulnerability. According to the description the flaw is a classic stored XSS, classified as CWE‑79, with a CVSS score of 7.1, indicating a high potential impact on confidentiality, integrity, and availability of the affected web application. The vulnerability can enable an attacker to hijack victim sessions, steal cookies, or inject arbitrary content that is presented to all users of the affected site.

The vulnerability affects the WordPress plugin known as wp secure from WebsiteDefender, impacting all releases from production start until and including version 1.2. Any WordPress site that has prevented or enabled the wp secure plugin in those releases is at risk, regardless of the WordPress core version or other plugins installed.

The EPSS score is less than 1%, indicating a very low probability of exploitation in the current landscape, and the vulnerability is not listed in CISA’s KEV catalog. However, its medium to high CVSS rating and the fact that it is a stored XSS – a well‑understood and frequently exploited weakness – mean that the risk is still significant, especially for sites that allow users to submit content or comments processed by the plugin. The likely attack vector would be any web form, comment field or user input mechanism that the plugin processes and stores without proper output sanitization, allowing an attacker to input malicious script payloads that will be rendered to all site visitors.