Improper neutralization of input during web page generation in Thomas Harris's Search Cloud One plugin allows malicious script code to be stored and subsequently rendered in the site’s content, resulting in a stored XSS condition. This flaw is identified as CWE‑79 and can potentially enable an attacker to inject scripts that execute whenever a visitor loads the affected page, possibly allowing session hijacking, defacement of content, or delivery of phishing payloads. The typical XSS consequences are documented, but the specific impact would depend on the exploitation context.

The Search Cloud One plugin for WordPress, supplied by Thomas Harris, is vulnerable in all releases from the first unknown version up to and including 2.2.5. Versions newer than 2.2.5 are presumed fixed unless the vendor’s changelog indicates otherwise.

The CVSS score of 5.9 indicates a moderate severity, while an EPSS score below 1% shows a very low probability of mass exploitation at present. The vulnerability is not recorded in the CISA KEV catalog, suggesting it has not yet been widely exploited. Attackers would need to supply crafted input via the plugin’s user interface, which is stored and later rendered unsanitized in the site; once a payload is present, it remains effective until the plugin is updated or the malicious data is removed. The likely attack vector involves an authenticated or unauthenticated user entering malicious code into a search‑related field that is then displayed on the front‑end.