The vulnerability is an improper neutralization of script‑related HTML tags that allows stored XSS in bPlugins Html5 Audio Player. Attackers can inject malicious JavaScript that executes in the context of any user who views the affected content, enabling manipulation of the DOM, theft of session cookies, or defacement. The weakness is categorized as a basic XSS (CWE‑80) and has a CVSS score of 6.5, indicating a moderate severity that can affect confidentiality, integrity, and availability of user data.

The issue affects the WordPress plugin bPlugins Html5 Audio Player, versions from the initial release through and including 2.2.28. No other versions or products are listed in the CNA data.

The EPSS score is below 1 %, showing a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited known exploitation. The likely attack vector requires the attacker to store malicious content via the plugin, typically by creating or editing a media entry or post that the plugin processes. Once stored, the payload runs for any user who accesses that content, especially those with elevated privileges or administrators. Given the CVSS rating and exploitation probability, the risk is moderate, but unpatched installations remain vulnerable to code execution in users’ browsers.