An improper neutralization of input during web page generation allows malicious JavaScript to be stored in the Sessions plugin and later rendered when a page is loaded. The vulnerability is a stored XSS flaw that can be exploited by injecting script code into a data field that the plugin processes and persists, leading to cross‑site scripting when the content is displayed to users. The potential impact includes theft of session cookies or other sensitive data, defacement of content, and execution of arbitrary actions in the context of the victim’s browser.

The Sessions plugin by Pierre Lannoy is affected when its version is 3.2.0 or earlier. The vulnerability applies to any WordPress installation that has the plugin installed and uses the vulnerable versions.

The CVSS score of 5.9 indicates a moderate severity level. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a stored input field within the plugin’s administration interface; an attacker who can submit data will have that script executed for every user who views the affected page. No special conditions are required beyond having the vulnerable plugin active.