The vulnerability stems from improper neutralization of user input during web page rendering, allowing malicious code to be saved and later executed when anyone visits the affected page. Stored cross‑site scripting can compromise the confidentiality and integrity of data viewed by users, enabling attackers to steal session cookies, inject malicious content, or deface the site. This weakness is categorized under CWE‑79, which includes typical injection of executable scripts into web pages.

The issue affects the WordPress Kubio AI Page Builder plugin crafted by Extend Themes, specifically all released versions up to and including 2.7.0. Users running these plugin versions on their WordPress installations are vulnerable; upgrading to 2.7.1 or later eliminates the flaw.

The CVSS score of 6.5 reflects a moderate severity, combining user interaction with the potential for high impact on website trustworthiness. Thanks to the absence of an EPSS score and no listing in the CISA KEV catalog, the publicly known exploitation likelihood is unclear, but the stored‑XSS nature means that an attacker capable of adding or modifying content—either through a compromised user account or by exploiting another vulnerability—could realize the attack. The attack vector is inferred to be through the plugin’s content input mechanisms, which do not properly sanitize data before storage.