The vulnerability is an improper neutralization of input that allows stored cross‑site scripting in the Rock Convert plugin for WordPress. The flaw lets an attacker inject malicious scripts that are rendered when the page is viewed. It is inferred from the nature of stored XSS that an attacker might be able to steal cookies, hijack sessions, or perform other client‑side attacks, although the official notice does not explicitly describe these outcomes. No further attack consequences are described in the official notice, but the stored nature means the code persists in the website content.

The affected product is the Rock Content Rock Convert WordPress plugin, versions up through 3.0.1. Any WordPress site that has an installed copy of this plugin prior to version 3.0.2 is vulnerable.

The CVSS score of 6.5 indicates a moderate risk level. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is web‑based; it is inferred that the flaw can be exploited by an attacker who can inject content into the plugin’s input fields and later cause that content to be displayed on the site. Because this is stored XSS, exploitation does not require user interaction beyond loading the affected page.