Impact
The Zotpress plugin contains a stored XSS flaw in the nickname input that is not properly sanitized or escaped. Authenticated users with Author rights or higher can inject arbitrary JavaScript into created pages. When other site visitors load an affected page, the malicious code runs in their browsers, potentially allowing cookie theft, session hijacking, defacement, or the execution of further attacks on the site’s users.
Affected Systems
The vulnerability affects the Zotpress WordPress plugin distributed by kseaborn, in all releases up to and including version 7.3.15; any WordPress installation running one of those versions is vulnerable.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation, and the flaw is not listed in CISA's KEV catalog. The attack vector requires an authenticated user with Author or higher privileges, which limits the attacker’s reach but still permits significant damage if such credentials are compromised.
OpenCVE Enrichment
EUVD