This vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript into the output of the Thumbnail Editor plugin. The injected script is saved when the user submits content through the plugin’s interface and will execute in the browsers of anyone who views the affected page, potentially permitting session hijacking, credential theft, or defacement. The weakness corresponds to improper input neutralization, classified as CWE‑79.

The flaw affects all releases of AviPlugins.com’s Thumbnail Editor plugin for WordPress up to and including version 2.3.3. Any WordPress site that has installed this plugin and has not applied a later update is vulnerable. All WordPress installations that load the plugin’s admin or front‑end pages are at risk.

The vulnerability carries a CVSS score of 6.5, indicating a high impact. The EPSS score is reported as less than 1 %, so exploitation likelihood is currently considered low, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote web‑based: an attacker can embed malicious payloads when submitting thumbnail or related data through the plugin’s user interface, causing the stored script to run for downstream visitors. Countermeasures such as filtering or escaping are required to mitigate this vector.