The Auto Bulb Finder for WordPress plugin is vulnerable to stored Cross‑Site Scripting through its "abf_vehicle" shortcode. Improper input sanitization and lack of output escaping allow attackers to embed JavaScript in the attributes supplied by authenticated users. The injected scripts run whenever a page containing the shortcode is viewed, potentially giving the attacker the ability to steal session cookies, deface content, or execute further malicious actions within the victim’s browser context. Based solely on the supplied description, the vulnerability does not grant arbitrary code execution on the server but empowers client‑side script execution that can affect any user that views the compromised page. The noted only user role required is contributor or higher, indicating the vector is limited to authenticated accounts with moderate permissions.

This flaw affects the mtoolstec Auto Bulb Finder for WordPress plugin, versions up to and including 2.8.0. Any WordPress site that has this plugin installed and permits contributor‑level or higher user accounts to insert the "abf_vehicle" shortcode is susceptible. The issue is confined to the plugin and does not extend to core WordPress components or other plugins.

The CVSS score of 6.4 classifies the vulnerability as moderate, and the EPSS score of less than 1% indicates a low probability of being exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with contributor privileges; an attacker would need to supply a crafted shortcode containing malicious JavaScript that is then stored by the plugin and executed for any site visitor. While the attack requires user authentication, once in place it can impact all users who view the affected page, providing broad exposure for client‑side attacks.