The WP Tesseract plugin for WordPress contains an improper neutralization of input during web page generation vulnerability (CWE‑79) that allows attackers to inject malicious scripts that are stored and later executed in the browser of any user that views the affected content. An attacker could use this stored XSS to hijack user sessions, deface sites, or perform phishing attacks, compromising the confidentiality, integrity, and availability of the website’s information. The vulnerability is limited to the plugin’s stored content mechanisms and does not require elevated privileges on the server.

All installations using tattersoftware’s WP Tesseract plugin with versions through 1.0.2 are affected. The vulnerability applies to any instance where the plugin is active, regardless of the WordPress theme or other plugins. No specific sub‑versions are explicitly listed; any version from the earliest available up to and including 1.0.2 is vulnerable.

The CVSS score of 5.9 classifies this as a medium‑risk vulnerability, and the EPSS score of less than 1% indicates a very low probability of active exploitation at this time. It is not included in the CISA KEV catalog. The likely attack vector is through the web application interface, where an attacker with the ability to submit or manipulate content processed by the WP Tesseract plugin can embed malicious scripts that are persisted in the database and later rendered in browsers. No specific conditions beyond accessing the affected plugin’s data entry points are required.