Impact
The Permalink Manager Lite plugin is vulnerable to stored cross‑site scripting through post titles. The insufficient output escaping in the admin URI Editor allows contributors or higher‑privileged users to embed arbitrary web scripts. When an administrator visits the Permalink Manager page, the malicious script executes in their browser, potentially compromising their session and allowing further attacks such as credential theft or defacement.
Affected Systems
This flaw affects all installations of the Permalink Manager Lite WordPress plugin up to version 2.5.3.3. Users who run older or unpatched versions are at risk, regardless of how many sites are using the plugin. The vulnerability is tied directly to the mbis:Permalink Manager Lite product, so any site employing this plugin is impacted.
Risk and Exploitability
The CVSS base score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low exploitation probability. Because the vulnerability requires authenticated (Contributor+ level) access, the attack surface is limited to users who have been granted such privileges. The flaw is not listed in the CISA KEV catalog, but the cross‑site scripting payload can be delivered via normal administrative interactions, making it a tangible risk for sites with uninhibited contributor roles.
OpenCVE Enrichment