The vulnerability is an improper neutralization of user input during web page generation, allowing a malicious actor to embed arbitrary JavaScript that is stored and later rendered within the Flaming Password Reset plugin interface. This stored XSS can execute in the browsers of any visitor to the affected page, potentially stealing cookies, session data, or performing actions on behalf of the user. The weakness, classified as CWE‑79, enables direct compromise of confidentiality and integrity for targeted victims on the site.

The issue affects the WordPress plugin jcaruso001 Flaming Password Reset, specifically any installation running version 1.0.3 or earlier. The vendor’s documentation indicates the vulnerability exists from the earliest released version through <= 1.0.3, with no specific lower bound provided. Administrators of WordPress sites utilizing this plugin should verify the installed version and consider remediation accordingly.

The CVSS score of 6.5 reflects moderate overall risk, while the EPSS score of < 1% suggests a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the WordPress admin interface where an authenticated or user‑controlled input is saved and later displayed; an attacker would need to create or modify a reset request that contains malicious script. Provided the user sees the page containing the stored payload, the store XSS would trigger execution in their browser.