The vulnerability permits an attacker to embed JavaScript payloads that are stored within the Nextend Facebook Connect plugin and served to every visitor of the site. Because the script executes in the context of the WordPress blog, an attacker could deface content, hijack user sessions, or deliver additional malware. The flaw is a classic input validation weakness identified as CWE‑79.

WordPress installers that have the Nextend Facebook Connect plugin from Nextendweb with a revision up to and including 3.1.19 are impacted. Any WordPress site using a vulnerable version, irrespective of hosting provider or server configuration, is susceptible.

The CVSS base score of 6.5 places the issue in the moderate severity bracket, while the EPSS value of less than 1% indicates a very low probability of exploitation in the current landscape. The most likely attack vector is via legitimate input controls in the plugin’s admin interface; an attacker would need to supply a malicious payload through a form field that the plugin then persists. Stored XSS remains active until the compromised data is purged or the plugin is upgraded. The vulnerability is not listed in CISA’s KEV catalog at present.