Improper neutralization of input during web page generation allows a stored cross‑site scripting flaw in the WordPress One Click Accessibility plugin. If an attacker injects malicious script that is stored by the plugin, that script will later be served to any user who views the affected page, providing the attacker the ability to steal session cookies, deface content or perform further client‑side attacks. Based on the description, the likely attack vector is an input field within the plugin’s configuration or content entry interface that accepts unsanitized data. The vulnerability was rated CVSS 5.9.

The flaw affects the Elementor Ally "pojo‑accessibility" plugin from the earliest available release up through version 3.1.0. No other vendor or product versions are listed.

The CVSS score of 5.9 indicates a moderate impact. The EPSS score of less than 1% suggests that exploitation of this vulnerability is currently unlikely in the wild, and the vulnerability is not currently catalogued in CISA’s KEV list. If an attacker can supply data through the plugin’s input paths, the stored script will be delivered to all site visitors, potentially leading to compromise of user accounts or defacement of the site. However, because the vulnerability requires data to be stored and then displayed, it is less likely to be exploited by arbitrary unauthenticated users unless the plugin exposes such input to them. The overall risk to a typical WordPress site is moderate, but it warrants prompt update to avoid accidental exploitation.