The Draft Notify plugin for WordPress contains a stored cross‑site scripting vulnerability that arises from improper neutralization of user input when generating web pages. This flaw allows malicious scripts to be saved in stored data and later served to any visitor of the site when the affected content is displayed. The weakness is a classic example of CWE‑79 and may lead to client‑side exploitation such as session hijacking, defacement, or cookie theft, depending on the attacker’s payload. Based on the description, it is inferred that the injection vector involves a form or interface provided by the plugin, where input is collected and persisted without adequate sanitization.

WordPress sites that install the Draft Notify plugin version 1.5 or earlier from TouchOfTech are impacted. All builds prior to 1.5, including the initial release, carry the flaw. The vulnerability is independent of specific WordPress core or theme versions. Administrators and editors who use the plugin’s content creation features can enable the vulnerability, but the presence of the issue does not depend on particular roles.

The EPSS score of less than 1 % suggests that the likelihood of wide‑scale exploitation is currently low, and the security bulletin does not list the flaw in the CISA KEV catalog, indicating no high‑profile attacks are known. The CVSS score of 5.9 indicates a medium severity, reflecting the potential for moderate impact on client‑side confidentiality, integrity and availability through stored XSS. Because the issue is a stored XSS, the attack surface exists whenever data entered via the plugin is rendered to users; the operator of the site can observe the effect of malicious scripts executed in users’ browsers. While the description does not explicitly state the required attack vector, it is inferred that the vulnerability is exploitable by authenticated users who can submit or edit content through the plugin’s interface.