This vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows a stored cross‑site scripting (XSS) attack. The weakness is based on the insufficient sanitization of user‑supplied content before it is written to the database and later rendered in the browser, thus enabling an attacker to inject malicious scripts that are executed in the context of any user who views the impacted content. The primary impact is the ability to run arbitrary JavaScript in the victim’s browser, which could be used to steal session cookies, deface pages or redirect users to malicious sites.

The flaw affects the WordPress plugin Master Paper Collapse Toggle created by Luis Rock, with all releases from the initial version through 1.1 susceptible. Any WordPress site using this plugin within that version range is vulnerable.

The CVSS score of 6.5 indicates a moderate severity for stored XSS.” The EPSS score of less than 1% suggests that exploit traffic is currently very low, although some attackers may still target known sites. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically exploit the plugin’s content input fields to persist malicious code, which is then automatically rendered for all site visitors. Detection would rely on observing unexpected script execution or anomalous traffic from the plugin’s pages.