The vulnerability is an improper neutralization of input during web page generation that allows stored cross‑site scripting. Unsanitized data entered through Easy Taxonomy Images is persisted and later rendered on the public site without escaping, enabling an attacker to inject arbitrary JavaScript. It is inferred that the malicious script will be executed in the context of any visitor’s browser, potentially allowing the attacker to steal session cookies, hijack user sessions, redirect traffic, or display malicious content. Based on the description, it is inferred that a successful exploit requires the attacker to inject the malicious input, typically through administrative or content‑creation privileges within the plugin.

The flaw exists in the wpdevstudio Easy Taxonomy Images plugin for WordPress versions up to and including 1.0.1. Any WordPress installation that has this plugin installed and has not upgraded beyond 1.0.1 is affected. The vulnerability is present in all build versions of the plugin from its earliest releases up to the last known vulnerable version.

The CVSS score of 7.1 indicates a moderate to high impact level. The EPSS score of less than 1% signals a very low probability that exploit code will be actively seen in the wild at present. The stored XSS nature of the flaw means that exploitation hinges on the attacker being able to inject malicious input that is later served to site visitors; this typically requires administrative access or content‑author privileges. It is inferred that a public exploit would need the attacker to have the ability to create or edit taxonomy image data, which is not broadly available to general public users. The vulnerability is not listed in CISA’s KEV catalog. When the conditions are met, the script runs client‑side and bypasses server‑side defenses, potentially compromising the confidentiality, integrity, and availability of affected sites.