A stored cross‑site scripting vulnerability exists in the VibeThemes BP Social Connect plugin for WordPress that arises from improper input neutralization during web page generation. Attackers can inject malicious JavaScript that the plugin stores and later outputs on user pages. When executed by a victim’s browser, the injected script can steal session cookies, impersonate users, modify page content, or perform other malicious actions, compromising confidentiality and integrity of the site’s data. The weakness is identified as CWE‑79.

The flaw impacts institutions that use the VibeThemes BP Social Connect plugin for WordPress in any version through and including 1.6.2. Administrators should verify their current plugin version, as any release older than 1.6.3 remains vulnerable.

The CVSS score of 5.9 places this issue in the medium severity range, and the EPSS score of less than 1% indicates that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. It can be exploited via the web interface, likely by any user who can submit data to the plugin’s input fields. Because it is stored, the injected script persists until the content is cleared, enabling repeated attacks on all users who view the affected pages. An attacker with no special privileges can potentially insert the payload, making the threat accessible to the public, although the exact authentication requirements are not specified in the provided description.