Network Posts Extended, a WordPress plugin, has a stored cross‑site scripting vulnerability caused by the post_height parameter. The plugin does not properly sanitize or escape this input, allowing authenticated users with Contributor or higher privileges to inject arbitrary JavaScript into posts. This injected script executes in the browsers of any user who views the affected post, potentially compromising confidentiality and enabling session hijacking or defacement. The weakness is classified as CWE‑79. (The potential for confidentiality compromise, session hijacking, and defacement is inferred from typical XSS behavior and not explicitly stated in the description.)

Affected systems are any installations of the Network Posts Extended plugin from vendor JohnzenaUSA, specifically all versions up to and including 7.7.1. Any WordPress site using these versions is at risk if a Contributor‑level user submits posts that use the post_height parameter.

The CVSS score of 6.4 indicates a moderate severity. EPSS is less than 1 %, meaning exploitation is unlikely according to current data, and the issue is not listed in the CISA KEV catalog. The attack vector requires authenticated access and a role of Contributor or higher, so it is not remote; it relies on the ability to edit or place posts. Once the attacker injects the script, it persists and will run for any visitor to the page, potentially until the plugin is upgraded or the content is cleaned. (The analysis that the script might lead to confidentiality compromise or session hijacking is inferred based on common XSS effects.)