The reported vulnerability resides in the image title field of the Better Find and Replace – AI‑Powered Suggestions WordPress plugin. Due to inadequate input sanitization and lack of output escaping, attackers who have author‑level or higher privileges can inject arbitrary scripts into the title of an uploaded image. When a user later views a page containing that image, the injected scripts are executed in the context of the site, allowing the attacker to run malicious code on the victim's browser. The flaw aligns with CWE‑79, which signifies an XSS weakness.

This issue affects the Better Find and Replace – AI‑Powered Suggestions plugin published by Codesolz. All WordPress sites running a vulnerable version of the plugin, from the original release up to and including 1.7.9, are potentially exposed. Sites that have upgraded to a newer release are not impacted.

The CVSS score of 5.4 indicates a moderate risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting current exploitation evidence is limited. Nonetheless, the flaw requires only an authenticated author or higher account, a role commonly granted to content editors, making the attack vector readily achievable through legitimate plugin usage. The absence of a publicly released exploit does not reduce the need for remediation, as the stored XSS can be leveraged to compromise site visitors.