The Gift Hunt plugin contains an Improper Neutralization of Input During Web Page Generation vulnerability that allows stored XSS. Improperly filtered input can be saved by the plugin and then displayed to other users without proper encoding. This flaw is classified as CWE‑79 and may enable a malicious actor to inject and execute arbitrary script code in the browsers of site visitors, leading to credential theft, session hijacking, defacement, or the delivery of further malware. The impact is an information disclosure and potential compromise of user sessions rather than direct system compromise.

The vulnerability affects the Gift Hunt plugin for WordPress, version 2.0.2 and earlier. Validated product names include the "Gift Hunt" e‑commerce component. No specific operating system or server version is required; the flaw depends on the WordPress plugin code.

The CVSS score of 5.9 denotes moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector requires an attacker to submit malicious input through a page or form that the plugin accepts and stores; the stored payload is then rendered to any page visitor. Although exploitation does not grant code execution on the server, the potential damage to user accounts and trust renders it a concern for sites that rely on the plugin for store operations.