The Simple Membership plugin for WordPress contains a stored Cross‑Site Scripting flaw caused by insufficient input sanitization during web page generation. Malicious script code can be entered into plugin fields and is saved in the database; when the content is later rendered in a user’s browser, the script executes. This can result in session hijacking, credential theft, phishing attacks, or other malicious actions that compromise the confidentiality, integrity, or availability of the site from the perspective of any user who views the affected content. The weakness is classified as CWE‑79.

The vulnerability applies to all installations of the wp.insider Simple Membership plugin with a version of 4.6.3 or earlier. Users of this plugin who have not upgraded beyond version 4.6.3 are affected.

The CVSS score of 5.9 indicates moderate severity, but the EPSS score of less than 1% suggests exploitation is currently unlikely. The flaw is not listed in CISA’s KEV catalog, further indicating limited current exploitation activity. Attackers would need to insert malicious code into patched data fields that are subsequently displayed; the stored nature of the XSS provides a persistent threat once the script is embedded. The likely attack vector is through the plugin’s administrative or user‑contributed input interfaces, making the vulnerability exploitable by anyone who can add or edit content through the plugin.