A stored cross‑site scripting flaw exists in the Author Box After Posts plugin, allowing an attacker to inject arbitrary script into the site’s output. When the malicious script is stored, it will be rendered to every user that views the affected page, potentially leading to cookie theft, session hijacking, or defacement. The weakness stems from inadequate neutralization of input before it is written to a permanent storage location on the site.

This vulnerability affects WordPress sites that use the Author Box After Posts plugin from the first release through version 1.6, as managed by Lloyd Saunders. Any site running these versions is potentially injectable through the plugin’s author‑box input facilities.

The CVSS score of 6.5 indicates moderate impact, while the EPSS score of < 1% shows that exploitation attempts are currently rare. The flaw is not yet listed in the CISA KEV catalog. Based on the nature of a stored XSS, the likely attack vector is through the WordPress administrative interface, where an attacker can submit content that will be stored by the plugin and later served to site visitors. No other prerequisites are specified in the description, implying that standard authenticated access to content creation or plugin settings would allow the vulnerability to be exercised.