The vulnerability is an improper neutralization of user input during page generation, a CWE‑79 (Cross‑Site Scripting) weakness, present in the MailOptin plugin developed by properfraction. It permits an attacker to store malicious script code that will execute when the data is rendered in visitors’ browsers. This stored cross‑site scripting can enable session hijacking, cookie theft, defacement of content, or the injection of additional harmful payloads within the WordPress environment. Any user who views a page that displays the stored, unsanitized data may have the script executed locally, exposing the site’s integrity and user confidentiality to the attacker.

The affected product is the MailOptin plugin for WordPress, provided by the vendor properfraction. All installations running version 1.2.75.0 or earlier are vulnerable. The flaw resides in the handling of user‑supplied content such as opt‑in forms or email templates, which are persisted in the database and later inserted into generated pages.

The CVSS score of 5.9 indicates a moderate severity, while the EPSS score of less than 1 % denotes a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply malicious input that the plugin will store; the likely attack vector is an authenticated site administrator or user with permissions to create or edit opt‑in campaigns. Once the input is stored, any visitor to the affected page will have the script executed in their browser, providing the attacker with potential access to session data or the capability to modify website content. The use of stored XSS elevates the risk compared to reflected XSS because the payload persists and can affect many users over time.