The vulnerability is a stored cross‑site scripting flaw in the JK:WP‑FB‑AutoConnect WordPress plugin. The plugin fails to neutralize user input that is later rendered in web pages, enabling an attacker to inject malicious scripts that persist across requests. Because the payload is stored, any site visitor who loads the affected page would execute the attacker’s code, potentially leading to session hijacking, defacement, or data exfiltration. The weakness is catalogued as CWE‑79.

All installations of WP‑FB‑AutoConnect up to and including version 4.6.4 are vulnerable. The attack affects any WordPress site that has the plugin installed and enabled. Versions prior to the plugin’s release (n/a) through <=4.6.4 are impacted. The product is distributed by the vendor JK. Administrators should verify the installed plugin version and determine whether an update is available.

The CVSS score of 5.9 indicates a medium severity. The EPSS score is under 1 %, suggesting a low but nonzero likelihood of exploitation. Because the flaw is client‑side and stored, the attacker only needs to submit malicious input through the plugin’s interface, which is inferred to be the likely attack vector; no special privileges or remote code execution are required. The vulnerability is not listed in the CISA KEV catalog, but the attacker could still use it to compromise trusted users of the affected WordPress site.