The vulnerability is an improper neutralization of input during web page generation, which allows an attacker to inject malicious scripts that are stored and later rendered by the BasePress Knowledge Base documentation & wiki plugin – BasePress. Because the input is not correctly escaped, scripts stored in the plugin’s content can execute in the browsers of any user who views the affected page, leading to theft of session cookies, defacement, or other malicious client‑side actions. The weakness is coded as CWE‑79. The impact is confined to the user session in which the injected script runs, but it can be leveraged to compromise the entire site if an attacker gains persistent control of the content.

BasePress Knowledge Base documentation & wiki plugin – BasePress versions from the first release through 2.17.0.1 are affected. Versions beyond 2.17.0.1 are not listed as vulnerable, implying that the fix is contained in later releases. Site administrators using any version at or below 2.17.0.1 are at risk.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of real‑world exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw allows stored XSS, anyone with write access to the plugin’s content can embed malicious payloads, making exploitation straightforward for those with such permissions. A typical attack vector would involve a malicious user anonymously or legitimately creating a knowledge base entry with embed script tags; the script then runs on every visitor’s browser. The vulnerability requires the attacker to create or modify content, so users without write access are not directly exploitable.