The vulnerability is a stored cross‑site scripting flaw caused by improper input sanitization in the Attesa Extra plugin for WordPress. It allows an attacker to inject malicious JavaScript that runs in the context of legitimate users browsing pages that display the compromised content, potentially exposing session cookies, defacing the site, or deflecting traffic. The weakness is identified as CWE‑79, indicating insufficient escaping of user‑supplied data before it is rendered on the page.

CrestaProject Attesa Extra, a WordPress plugin, is affected for all releases that are version 1.4.7 or older, including all revisions from the earliest release through 1.4.7. Any WordPress installation that hosts this plugin within those versions is vulnerable.

This issue carries a CVSS score of 6.5, denoting moderate severity, and an EPSS score of less than 1%, implying a low probability of exploitation in the wild. The plugin does not appear in CISA’s KEV catalog. Exploitation requires the attacker to inject a payload through a plugin input field that accepts user data and subsequently display that content to visitors. Because the exploit is stored and relies on user interaction, the risk is moderate but sufficient to warrant swift mitigation.