The WordPress plugin "Age Verification & Identity Verification by Token of Trust" fails to sanitize or escape user input passed to its “description” field. When a malicious value is stored, the plugin later outputs it without proper encoding, allowing an attacker to inject arbitrary HTML or JavaScript that runs in the browser of any user who views the affected content. The impact is the ability for an unauthenticated attacker to execute code in the context of site visitors. Based on the description, it is inferred that an attacker could potentially deface pages, exfiltrate data, or hijack user sessions, although these specific outcomes are not explicitly documented.

The vulnerability exists in all releases of the plugin up to and including version 3.32.3. Any WordPress site that has the Age Verification & Identity Verification by Token of Trust plugin installed at or before version 3.32.3 is affected.

The CVSS score of 7.2 reflects high severity due to the lack of authentication required to supply the vulnerable input and the widespread availability of the described flaw. The EPSS score is not available, and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog, indicating no confirmed exploitation yet. The likely attack vector is unauthenticated; an attacker can supply a malicious ‘description’ payload through the plugin’s input mechanism, which is stored without proper encoding, and causes any visitor to the affected page to execute the injected script.