The vulnerability is a Stored Cross‑Site Scripting flaw in the CoSchedule Headline Analyzer plugin for WordPress. An attacker can inject malicious script code into a headline that the plugin saves and later renders on web pages. The injected code runs in the browsers of any user who views the polluted headline, allowing the attacker to steal session cookies, deface the site, or execute further attacks. This flaw is categorized as CWE‑79, which indicates improper neutralization of input during web page generation.

Affected systems include WordPress sites that have the CoSchedule Headline Analyzer plugin installed with any version from the initial release up to and including 1.3.7. No other products or vendors are listed. Sites running earlier or later releases are not impacted by this specific stored‑XSS issue.

The CVSS score of 6.5 indicates a moderate severity. With an EPSS score of less than 1% and the vulnerability not listed in the CISA KEV catalog, the likelihood of widespread exploitation is low at present. However, exploitation requires that the attacker can insert a malicious headline into the plugin’s input, which is then stored and displayed to site visitors. Because the attack vector is a web application input field, while it is not purely remote, it can be triggered through normal use of the plugin or via social engineering. Administrators should therefore treat this as a moderate‑risk vulnerability that merits prompt remediation.