The Broadstreet plugin contains a stored cross‑site scripting flaw in its administrative settings that is not properly sanitized or escaped. An attacker who has administrator‑level access can store malicious scripts in the plugin’s settings, which are then rendered unmodified on pages accessed by anyone in the site. The injected code runs in the victim’s browser, enabling actions such as session hijacking, credential theft, content defacement, or execution of further malicious payloads. This vulnerability directly jeopardizes the confidentiality, integrity, and availability of the web application’s front‑end for all users who view pages that include the chart settings.

All installations of the Broadstreet plugin for WordPress with versions up to and including 1.53.1 on multi‑site WordPress sites where the unfiltered_html capability is disabled are affected. The vulnerability resides in the plugin’s administrative configuration screens and propagates any user‑submitted content into page output without proper escaping.

The CVSS score of 4.4 indicates a low overall severity; however, the flaw requires an attacker to have administrator credentials, which is a significant entity‑level compromise. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not been observed or recorded. The likely attack vector involves a legitimate admin logging into the WordPress dashboard, navigating to the Broadstreet settings, and injecting malicious code that will later execute in browsers of all site users. Because the attack requires administrative access, remediation through account management and plugin updates is the recommended approach.