The Mixcloud Embed plugin contains a stored cross‑site scripting flaw that fails to properly neutralize user input before rendering it on web pages. This weakness, identified as CWE‑79, allows an attacker to inject arbitrary JavaScript that will execute in the browsers of all users who view the affected content, potentially leading to session hijacking, credential theft, or tampering of page content. The damage is confined to the confidentiality, integrity, and availability of the website’s front‑end, but it can affect all visitors of a compromised site.

All WordPress installations that include the biancardi Mixcloud Embed plugin version 2.2.0 or earlier are impacted. Any site that has deployed or currently uses one of these affected versions can be susceptible to the stored XSS.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score—reported as less than 1%—shows a low likelihood of widespread public exploitation at present. The vulnerability is not listed in CISA’s KEV catalogue, so no active exploitation is documented. Based on the description, it is inferred that an attacker would need to use an interface that accepts user‑supplied data—such as a post editor, shortcode, or form—into the plugin and then play a malicious script that is stored and later served to other users.