The Video Expander plugin for WordPress contains a stored Cross‑Site Scripting vulnerability because it fails to neutralize user input during web page generation. A malicious actor can inject arbitrary JavaScript that is persisted in the site’s content. When any authenticated or unauthenticated visitor views the affected page, the script executes under their browser context, potentially leading to session hijacking, defacement, or delivery of malware. This weakness is identified as CWE‑79.

WordPress sites that have the bcupham Video Expander plugin installed and enabled, with versions up to and including 1.0. The plugin is used to embed media, and any user capable of submitting or editing content can supply malicious payloads that will be stored and displayed. All such installations that accept user input are potentially impacted.

The CVSS score of 6.5 classifies the vulnerability as moderate severity. The EPSS score is less than 1%, indicating a low probability that this flaw has been actively exploited at the time of analysis. It is not listed in the CISA KEV catalog, so no known active exploits have been reported yet. The likely attack vector is the web interface where content is entered or edited; an attacker can supply a payload that will be stored and subsequently executed whenever a page is rendered.