A stored cross‑site scripting flaw exists in the Dynamic User Directory plugin. The vulnerability permits an attacker to embed malicious JavaScript that is persisted in the plugin’s data store and subsequently rendered to any user who views the affected page. When the page is displayed, the injected code runs in the victim’s browser, potentially allowing the attacker to modify the page’s appearance or interact with the browser in other unintended ways.

WordPress sites that incorporate the Sarah Giles Dynamic User Directory plugin with a version of 2.3 or earlier are affected. Any installation using this plugin range is at risk because the plugin does not properly neutralize input when generating web pages.

The CVSS score of 5.9 identifies the flaw as having moderate impact, while the EPSS score of < 1 % indicates a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Based on the description it is inferred that an attacker could inject malicious script into a directory entry or other value that the plugin records; once stored, the code would be served to any visitor of the page containing the entry. No additional specialized privileges or conditions are described in the advisory, so the flaw is potentially exploitable through any input field that the plugin accepts.