Improper neutralization of input during web page generation allows an attacker to inject malicious scripts that are stored and subsequently displayed to site visitors. The stored XSS flaw can run arbitrary JavaScript in the context of users who view author information, potentially exposing sensitive data, hijacking sessions, or defacing the site. This vulnerability affects the confidentiality and integrity of the site’s users and could lead to broader compromise if the attacker gains access to administrative functions.

WordPress users who have installed the AuthorSure plugin from the Russell Jamieson vendor, versions up to and including 2.3, are impacted. This includes every version from the earliest release (unlisted) through 2.3. No specific WordPress core version is required.

The CVSS score of 5.9 classifies the issue as moderate severity, and the EPSS score being less than 1% indicates a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires the ability to submit or modify author information through the plugin’s interface; otherwise the attack vector is limited to users who are able to influence content entry. Once the script is stored, it executes in the browsers of anyone who views the affected author page, allowing attackers to steal credentials, deface content, or perform other malicious actions.