The Smart Agenda WordPress plugin contains an Improper Neutralization of Input During Web Page Generation flaw that allows Stored Cross‑Site Scripting. When attackers insert crafted script content into plugin fields, that content is stored in the database and later rendered unescaped inside web pages, potentially executing arbitrary code in the browser of any visitor. This can lead to session hijacking, credential theft, or theft of confidential data disclosed to the user. The weakness is classified as CWE‑79.

The vulnerability exists in the Smart Agenda plugin distributed with WordPress, affecting all releases from the initial version up to and including 4.9. Any WordPress site running this plugin and not upgraded bypasses the fix.

The CVSS score of 6.5 indicates a moderate risk, and the EPSS score of less than 1% suggests a low likelihood of public exploitation at this moment. The vulnerability is not listed in the CISA KEV catalog, so no known mass exploitation is reported. Attackers can exploit the issue by creating malicious content that the plugin stores and later displays, typically via the plugin’s administration interface. Successful exploitation requires access to the plugin’s data entry interface, which may be restricted to site administrators or trusted users.