Improper neutralization of user input (CWE‑79) in BuddyDev MediaPress allows attackers to store malicious scripts that are later executed in web browsers accessing the affected WordPress site. This stored XSS can lead to credential theft, session hijacking, defacement or arbitrary code execution from the perspective of the victim’s browser. The flaw resides in how content submitted through the plugin is rendered without adequate sanitization.

WordPress installations that have installed the MediaPress plugin version 1.6.2 or earlier are affected. Any site using those versions without a later patch is vulnerable.

The likely attack vector is that an attacker must be able to submit or edit content via the MediaPress interface, which typically requires write or administrative privileges on the site. Based on the description, it is inferred that the attacker would embed malicious JavaScript in stored content that is later presented to other site users. The probability of exploitation is very low (EPSS < 1%) and the vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploits. Nevertheless, because the flaw permits arbitrary script execution in a user’s browser, it poses a significant confidentiality and integrity risk for any site user. Organizations should treat this as a medium‑to‑high risk until a patch is applied.