The vulnerability is an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts that are stored in the WordPress vipdrv plugin. This is a CWE‑79 flaw (Improper Neutralization of Input During Web Page Generation). Because the plugin fails to sanitize user‑supplied data, the injected code is retained in the database and rendered in future requests, enabling a stored cross‑site scripting attack. This can lead to theft of session cookies, credential hijacking, defacement of the site, or execution of arbitrary client‑side actions for any visitor who views the affected content.

The affected product is the WordPress vipdrv plugin (Vipdr – Vip Test Drive) developed by Ivan Drago. Versions from the first release up to and including 1.0.3 are affected by the stored XSS flaw. All WordPress instances that have any of these plugin versions installed are at risk.

The CVSS score of 5.9 indicates a moderate severity impact. The EPSS score of less than 1% implies a low probability of exploitation at the present time. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely through user‑visible input fields or configuration options that the plugin stores and later renders. Successful exploitation requires an attacker to supply malicious code that the plugin records; the code is then served to all site visitors. Because the flaw is stored, any authenticated user who can submit the input (or an unauthenticated user if the plugin permits it) can trigger the payload.