Photonicgnostic’s Library Bookshelves plugin contains an improper neutralization of input that allows attackers to store malicious JavaScript. When an attacker inserts crafted script into a stored field such as a book description, the code is later rendered unescaped in the web pages, providing stored cross‑site scripting. This can lead to cookie theft, session hijacking, defacement, or execution of arbitrary code within the visitor’s browser context.

The vulnerability affects the Library Bookshelves plugin from all versions prior to and including 5.11. The affected product is developed by photonicgnostic and is distributed under that name. Any WordPress installation that uses the plugin at or below version 5.11 is potentially exposed.

The CVSS base score of 6.5 indicates moderate severity. The EPSS of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation campaigns are documented. The attack vector is likely through legitimate administrative or content‑editing interfaces that accept user input without proper output encoding, and it requires an attacker to obtain a writable content field. Successful exploitation enables arbitrary JavaScript execution in the victim’s browser.