The Query Posts plugin includes a vulnerability that allows stored cross‑site scripting due to improper neutralization of input during web page generation. Malicious code can be injected into the plugin’s database fields and then executed in the browsers of any user who views the affected content. Based on the description, it is inferred that the potential consequences—such as defacement of the site, theft of user credentials, or session hijacking—are typical of XSS attacks.

The flaw affects the Query Posts plugin by Justin Tadlock for WordPress. All releases up to and including version 0.3.2 are vulnerable; any WordPress installation still running a vulnerable version of Query Posts is at risk.

The CVSS score of 6.5 classifies the issue as a moderate severity vulnerability, while the EPSS score of less than 1 % indicates that exploitation is currently considered unlikely. The vulnerability is not indexed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to supply malicious payloads that the plugin stores and later renders, so the primary vector is a web‑based interaction with the plugin’s content handling routines. Successful exploitation requires that a browser fetch a page that displays the stored data, causing the embedded script to run.