AA Web Servant 12 Step Meeting List is vulnerable to a stored cross‑site scripting flaw because user input is not properly neutralized when generating web pages. An attacker who can inject data into the plugin’s storage can later cause arbitrary malicious scripts to execute in the browsers of any visitors who view affected pages. The weakness is a classic input validation flaw (CWE‑79) that compromises confidentiality, integrity and availability of user data and can be leveraged for credential theft, defacement or other malicious actions.

This issue applies to the WordPress plugin 12 Step Meeting List from AA Web Servant, versions 3.18.3 and earlier. Sites running any of those releases are potentially affected. Since the vulnerability persists across all earlier releases, any host that has never upgraded past 3.18.3 is at risk.

The CVSS base score of 6.5 indicates a moderate impact, while the EPSS score being below 1% shows low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw is stored and leveraged through website content, an attacker can inject JavaScript that executes only when users load problematic pages, making it a typical stored XSS attack via data entry into the plugin, with no special privileges required beyond the ability to submit or edit content that the plugin stores.