This vulnerability allows an attacker to inject malicious scripts that are stored in the WordPress Simple Link List Widget plugin and later rendered on pages viewed by other users. The improper neutralisation of input leads to a classic stored cross‑site scripting exposure, which can be leveraged to steal credentials, deface content, or redirect victims. The weakness is identified as CWE‑79 and does not provide a direct path to remote code execution, but it enables a range of client‑side attacks that compromise confidentiality and integrity of affected sites.

The Simple Link List Widget plugin for WordPress, developed by jimmywb, is affected in all releases up to and including version 0.3.2. Users running any of these versions are susceptible to the stored XSS flaw.

The CVSS score of 5.9 places this flaw in the medium severity range. The EPSS score of less than 1% indicates a low probability of exploitation in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation would involve an attacker submitting malicious content via the plugin’s input fields, which is then displayed to other site visitors. Given the low external exploitation probability, the risk is largely contingent on the attacker’s ability to target specific sites through this plugin.