This vulnerability allows attackers to inject arbitrary JavaScript into a page that is rendered to users, leading to information theft, session hijacking, or drive‑by compromise. It stems from improper neutralization of user input during the generation of web pages and is classified as a stored XSS flaw (CWE‑79). The effect is that any visitor to a page that displays the malicious input could execute the script in the context of the site, potentially compromising the confidentiality, integrity, or availability of user data and the affected WordPress site.

The flaw affects the WordPress plugin My Resume Builder developed by abditsori, specifically all released versions up to and including 1.0.3. Users of the plugin on any WordPress installation are therefore at risk if they have not upgraded beyond this release.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread or actively exploited campaigns. Attackers would typically leverage the plugin’s input fields that persist data, and because the input is stored and later rendered without sanitization, they can inject malicious scripts. Following the nature of XSS, the attack can be launched by interacting remotely with the vulnerable page or by submitting crafted data to a form that the plugin processes.