Improper Neutralization of Input During Web Page Generation enables stored cross‑site scripting within the SEO Auto Linker plugin. A malicious actor can inject script code that is saved and later executed in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, defacement or other downstream attacks. This weakness is classified under CWE‑79, the injection of untrusted data into web content.

The vulnerability affects Arjan Olsder’s SEO Auto Linker WordPress plugin, versions from the earliest release through 1.5.3 inclusive. Users of any WordPress installation running the plugin at or below this version are impacted.

The CVSS score of 5.9 indicates moderate overall risk. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in CISA KEV. The description indicates that malicious input can be stored in the plugin’s data and later served to browsers, which can lead to client‑side confidentiality and integrity compromise. The exact attack vector for inserting the payload is not specified in the CVE description, so the method by which the malicious content is introduced remains unspecified.