The Sticky plugin for WordPress contains a stored XSS flaw that affects all releases up to and including 2.5.6. The vulnerability lies in the "readmoretext" attribute of the cvmh‑sticky shortcode; the attribute value is passed through apply_filters() and then directly concatenated into the page output without any escaping such as esc_html(). Authenticated users with Contributor level or higher can therefore inject arbitrary JavaScript that will run in the browser of any user who views a page containing the malicious shortcode. This flaw falls under CWE‑79 and can compromise the confidentiality, integrity, and availability of the site user experience and potentially expose session data or inject further malicious content.

The flaw affects the Sticky plugin for WordPress distributed by cvmh, specifically all versions up to and including 2.5.6. Any WordPress installation that has the Sticky plugin installed and is running a version in this range is vulnerable.

The CVSS v3 score of 6.4 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no currently known public exploits. Attackers must be authenticated with Contributor privileges or higher and must add the malicious readmoretext content to a page that uses the shortcode. Once inserted, the script executes automatically for all viewers of the page. Despite the lack of public exploitation, the ability for a relatively low‑privileged role to inject site‑wide scripts makes the risk non‑negligible for environments where Contributor rights are granted to many users.