The identified flaw is a stored cross‑site scripting vulnerability in the LeadBI Plugin for WordPress that allows an attacker to inject malicious scripts into the web page viewable by other site users. As a result, compromised users could be redirected to phishing sites, have their credentials harvested, or have their sessions hijacked, thereby affecting the confidentiality, integrity, and availability of user sessions. The weakness is a failure to properly neutralize user input during page generation.

LeadBI Plugin for WordPress, versions from the earliest release up to and including 1.7. Any WordPress installation running one of these versions is considered affected unless an earlier upgrade was applied.

The CVSS score of 6.5 indicates high severity, and the EPSS score of less than 1% shows that the probability of exploitation is very low but not zero. The vulnerability is not listed in the CISA KEV catalog, so it has not been observed in widespread attacks yet. An attacker would need to inject a crafted payload via the plugin’s data fields; typical attack vectors would involve input sites that are not properly encoded or filtered. Once injected, the script executes in the context of the site’s users, allowing various malicious actions as outlined above.