A stored cross‑site scripting flaw allows an attacker to inject malicious JavaScript into the WordPress MyBookTable Bookstore plugin’s stored data. If an attacker can add or modify content such as product titles or descriptions, the script will run in the browsers of any user who views the affected page. This could lead to credential theft, defacement, or the execution of arbitrary code in the context of the site’s visitors.

The vulnerability exists in the MyBookTable Bookstore plugin from all versions prior to and including 3.6.0, distributed by the vendor zookatron. Any WordPress site that has installed or updated this plugin within that range is affected until the plugin is upgraded beyond version 3.6.0.

The CVSS score of 6.5 classifies the flaw as a medium‑severity issue, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, the attack vector likely involves an attacker gaining write access to the plugin’s data entry form, allowing injection of a malicious payload that persists in the database, and then being served to end users when the affected pages are rendered.