The Rent Fetch WordPress plugin is vulnerable to stored cross‑site scripting through the "keyword" parameter. The plugin fails to sanitize or escape user‑supplied input before persisting it to the database and rendering it on page loads. An unauthenticated attacker can inject arbitrary JavaScript that runs whenever a visitor views the affected page, enabling data theft, session hijacking, or the execution of malicious actions on the victim’s browser. This weakness is a classic CWE‑79 scenario: unsanitized input coupled with improper output encoding. The injected script executes in the context of the site, potentially affecting all users who view the modified page. Impact is significant for confidentiality, integrity, and availability of exposed data on the front side. The CVSS score of 7.2 indicates a high severity, although the EPSS score of less than 1% shows a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog.

The affected product is the Rent Fetch plugin for WordPress, released by jonschr. All releases up to and including version 0.32.4 are vulnerable. The vulnerability affects any WordPress installation that uses these plugin versions and accepts the "keyword" query parameter. Upgrading to a later release (0.32.5 or newer) removes the flaw. Any site still running one of the affected versions is at risk. The CVE data does not specify operating system or PHP version dependencies, which suggests the issue resides solely in the plugin code. Risk and exploitability: With a moderate‑high CVSS, low EPSS, and no KEV listing, the threat is moderate but the potential for damage is high if an attacker can target the vulnerable pages. Because the vector is unauthenticated and based on a common HTTP GET parameter, an attacker can craft a link, share it, and lure users to trigger the malicious script. No special privileges are required beyond the ability to send a request containing the "keyword" value.

The CVSS score of 7.2 and the fact that the flaw allows arbitrary script execution when a user loads a page mean that the vulnerability can lead to full compromise of the front‑end session. The EPSS score of less than 1% indicates that current exploitation attempts are rare, possibly due to the need to find an active instance of the vulnerable plugin and to craft a suitable payload. Still, the lack of authentication barriers means any public or internal user can become victim. An attacker’s typical approach would involve creating a forbidden link containing a script‐laden keyword value, embedding it in a blog post, or sending it via email, where the victim’s browser would automatically execute the payload when the malicious page is rendered. Because the vulnerability is not cataloged in CISA’s KEV list, there is no documented exploitation campaign targeting it, but the risk remains for sites with the plugin installed and no mitigating controls in place.