The vulnerability exists in the AzonPost plugin for WordPress and allows attackers to inject arbitrary JavaScript through the `editpos_hidden` parameter. The lack of proper input sanitisation and output escaping lets a malicious actor embed code that will be reflected back in the page and executed in the browser of any user who views the page, most commonly an administrator. Because the trigger requires the user to click a crafted link or otherwise interact with a page that contains the parameter, the attack is reflected but still leverages social engineering to reach the target. The impact is the compromise of web page integrity and the potential for credential theft, defacement, or further lateral movement within the WordPress installation.

All versions of the AzonPost plugin by moch-a, up to and including version 1.3, are affected. The plugin is used within WordPress sites that employ the azonpost‑campaign features and expose the `editpos_hidden` parameter in the page interface for administrators.

The CVSS score of 6.1 marks this issue as a moderate‑severity vulnerability. EPSS data is not available, so the exact probability of exploitation can’t be quantified from the data, but the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to lure an administrator to click a crafted link that includes malicious payloads; once the link is activated, the injected script runs in the administrator’s browser context, potentially giving the attacker remote code execution capabilities within the WordPress site. The vulnerability is exploitable without prior exploitation of other components, though the social‑engineering component limits its indiscriminate use.