The Genesis Club Lite plugin contains an improper neutralization of input during web page generation that allows attackers to store malicious scripts in the site. A successful exploitation leads to the execution of arbitrary JavaScript in the context of the website’s domain, which can be used to steal user credentials, hijack sessions, deface content, or redirect users to phishing sites. The flaw is a classic stored XSS that requires the attacker to craft input that will be rendered on subsequent page loads.

The vulnerability applies to the Genesis Club Lite plugin developed by Russell Jamieson, affecting all releases from the start version up to and including 1.17. No specific sub‑versions are listed, so any installation of 1.17 or earlier is potentially affected.

With a CVSS score of 6.5, the issue is considered moderate severity. The EPSS score of less than 1 % indicates a very low likelihood of exploitation in the population, and the flaw is not currently referenced in CISA’s KEV catalog. The attack vector appears to be web‑based, requiring the attacker to persuade or trick a user into submitting data that is stored by the plugin and later reflected in site output. No publicly disclosed exploits are known, but the stored nature of the flaw means once injected, the malicious code can affect every site visitor until remediated.