Stored XSS occurs when malicious code embedded by an attacker is saved in the application’s data store and later rendered in a victim’s browser without proper escaping. In this case the Bold Timeline Lite plugin accepts input that is not neutralized during page generation, allowing an attacker to inject JavaScript that will run in the context of any user who views the affected timeline. Typical consequences include session hijacking, credential theft, defacement of content, and insertion of further malicious assets.

WordPress sites using the Bold Timeline Lite plugin from its earliest available releases up to and including version 1.2.7 are impacted. Any instance of the plugin built on those versions is vulnerable until an update to a patched release is applied.

The CVSS score of 6.5 indicates a moderate severity level; it does not grant the attacker privilege escalation or out‑of‑band impact but can lead to significant credential compromise. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to supply input via the plugin’s interface (such as timeline entry fields) which is then stored and subsequently displayed to users. The lack of additional privileges or network reachability limits the damage to the affected WordPress installations.