The Admin Menu Post List plugin for WordPress includes an improper neutralization of input during web page generation that enables a stored cross‑site scripting (XSS) attack. An attacker who can inject or modify content processed by the plugin can embed malicious JavaScript that will run in the browser context of any user viewing the affected page. This defiles the integrity of the site’s front‑end, can steal user credentials or session data, and allows remote code execution within the victim’s browser session.

The vulnerability affects the Admin Menu Post List offering from Eliot Akira. All releases up to and including version 2.0.7 are impacted; versions prior to the first release are also affected as the description indicates a range from n/a through <= 2.0.7.

The CVSS score of 5.9 places the flaw in the medium severity range. The EPSS score of < 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be web‑based input that is reflected or stored by the plugin, meaning that an attacker needs the ability to supply content that is subsequently rendered in the plugin’s output, such as via administrative or content editing interfaces. Given the stored nature of the breach, the impact persists until the malicious payload is removed or mitigated.