The WordPress plugin ‘Web Accessibility with Max Access’ contains an improper neutralization of input during web page generation, allowing stored cross‑site scripting. Data entered through the plugin can be saved to the database and later rendered on the site without proper escaping. As a result, a malicious actor could supply JavaScript that would be executed in the browsers of anyone who views the affected pages. Typical consequences of stored XSS include cookie theft, session hijacking, and defacement; these outcomes are inferred because the description indicates a stored XSS flaw but does not elaborate on the exact payload or victim impact.

Any WordPress site that has installed Ability, Inc’s Web Accessibility with Max Access plugin version 2.1.0 or older is affected. The vulnerability is tied exclusively to that plugin; no other WordPress core or plugin versions are mentioned in the report.

The CVSS base score of 5.9 points to a moderate risk, while the EPSS value of less than 1 % signals a very low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalogue, suggesting no known widespread attacks have been reported. The available description implies that exploitation would occur through input accepted by the plugin, most likely by an administrator or privileged user inserting data into the plugin’s configuration area. Successful exploitation would inject client‑side code for end‑users, but would not grant direct server‑side access.