The WP Airdrop Manager plugin for WordPress contains a stored cross‑site scripting vulnerability that can be triggered by untrusted input. The flaw arises because the plugin does not properly neutralize user‑supplied data before rendering it in a page, allowing malicious JavaScript to be persisted and executed later. Attackers can leverage this to steal credentials, inject malware, or deface the site, compromising confidentiality and integrity of user sessions. The CVSS score of 5.9 indicates a moderate risk, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not present in the CISA KEV catalog. Inferred attack vector is via the plugin’s front‑end or admin interface, where an attacker can submit malicious input that will be rendered unescaped to other users. Mitigation is therefore time‑critical for sites that rely on XSS for malicious payloads.

The vulnerability impacts all WordPress sites that have installed the kadesthemes WP Airdrop Manager plugin version 1.0.5 or earlier. The affected product is the plugin itself, and any WordPress installation incorporating this version is susceptible.

The CVSS score of 5.9 signals a moderate severity, while the EPSS value of less than 1% indicates low probability of exploitation at present. The vulnerability has not been flagged in the CISA KEV catalog. Based on the description, the likely attack vector is through user‑controllable input rendered on the site, enabling attackers to inject persistent scripts that will execute in the browsers of other visitors.