The WP LOL Rotation plugin version 1.0 or earlier contains an Improper Neutralization of Input During Web Page Generation vulnerability. This stored XSS flaw allows an attacker to inject arbitrary scripts that are later rendered to the browser of any user who views the affected content. If executed, the script runs with the privileges of that user, potentially hijacking sessions, collecting credentials, or defacing the site, thereby compromising confidentiality, integrity, and availability of site data. The weakness maps to CWE-79 and is limited to encoded or stored input that is not properly escaped before display.

This issue affects the WordPress plugin WP LOL Rotation developed by worstguy. All installations of the plugin from the earliest available version up through and including 1.0 are vulnerable. No further version range is specified; therefore any legacy installation of this plugin without an upgrade is considered at risk.

The CVSS score for this vulnerability is 6.5, indicating moderate severity. The EPSS score is less than 1%, indicating a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the plugin’s admin interface or content entry points where an attacker can supply malicious input that will be stored and later rendered to users. Once the payload is embedded in the page, any user who views that page will have the script executed in their browser. Because the impact is confined to the browser context and requires the attacker to be able to inject data, the overall risk is moderate but higher if the plugin is used on public-facing sites where users can be forwarded to vulnerable pages.