Improper neutralization of user input when generating web pages in the Ays Pro FAQ Builder AYS plugin allows the injection of arbitrary JavaScript that executes in a visitor’s browser. The weakness stems from a lack of output encoding and is identified as an instance of user‑supplied data not being sanitized before rendering. If successful, injected code can hijack user sessions, deface the site, or exfiltrate sensitive data. The vulnerability matches the well‑known pattern of DOM‑based or page‑generation XSS, creating a clear and direct risk to confidentiality, integrity, and availability of user interactions.

WordPress sites that have the Ays Pro FAQ Builder AYS plugin installed and are running any version up to and including 1.8.2 are impacted. The flaw exists from the earliest release of the plugin through the mentioned version limit. Sites that have upgraded beyond 1.8.2 are not affected, but any legacy installations remain at risk.

The CVSS score of 7.1 indicates a moderate‑to‑high severity vulnerability. Based on the description, it is inferred that an attacker can exploit the flaw by submitting malicious content through the plugin’s input fields, a path that does not appear to require authentication due to incorrectly configured access controls. Exploit probability data is not available, and the flaw is not listed as a known exploited vulnerability in CISA’s catalog, suggesting that no large‑scale exploitation has been reported yet. Nonetheless, the lack of authentication barriers makes the threat significant enough to warrant prompt removal or mitigation.