The vulnerability is a stored cross‑site scripting flaw that enables an attacker to inject malicious scripts into web pages served by a WordPress site. Because the injection is stored, the malicious payload can persist in the plugin’s data and be rendered to any user who views pages that include the affected content. This weakness, classified as CWE‑79, can lead to session hijacking, defacement, or theft of sensitive data by compromising the integrity and confidentiality of the site’s users.

The flaw resides in the WordPress plugin AdWords Conversion Tracking Code by kcseopro, affecting all releases up to and including version 1.0. All WordPress installations that have installed this plugin with a version less than or equal to 1.0 are potentially affected.

The CVSS score of 6.5 places the vulnerability in the medium severity range, while the EPSS indicator of less than 1% suggests that exploitation is uncommon. The plugin does not appear in CISA’s KEV catalog, further reducing the immediacy of known attacks. Exploitation requires an attacker to inject a benign payload into the plugin’s storage area, which is typically accessible through the admin interface. Once inserted, the payload is rendered on pages viewed by other users, providing an indirect attack vector rather than direct remote code execution.