An attacker can store malicious script code in a field controlled by the WP Bakery Autoresponder Addon plugin that is then rendered to other site visitors. The stored XSS allows the script to execute in the context of the victim’s browser, enabling cookie theft, session hijacking, defacement, or further exploitation. The weakness is improper neutralization of input during web page generation, a classic input validation flaw identified as CWE‑79.

WordPress installations that use the WP Bakery Autoresponder Addon plugin version 1.0.6 or earlier are vulnerable. No higher versions are listed as affected, and the plugin is considered impacted from an unknown earliest version through version 1.0.6.

The vulnerability carries a CVSS score of 7.1, indicating a high impact on confidentiality, integrity, and availability when exploited. The EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at this time. The flaw is not listed in the CISA KeV catalog, so no known active exploit has been reported. The likely attack vector is an attacker with administrator or content‑editing privileges who can inject payloads into plugin‑controlled fields that are later rendered to other users; it could also be exploited via social engineering to trick a user into visiting a malicious link that triggers the stored script. The combination of moderate‑to‑high severity and a low exploitation probability advises timely remediation while monitoring for potential exploitation attempts.