Permanent deletion of arbitrary WordPress posts and pages is possible via the Frontend File Manager Plugin (all versions through 23.6), which omits ownership verification before executing delete operations. Any authenticated user holding author-level access or higher can permanently destroy content they do not own; when an administrator enables the 'Allow guest uploads' setting, the same endpoint becomes reachable by completely unauthenticated users. A public proof-of-concept exists via WPScan; no confirmed actively exploited status (KEV), and EPSS sits at just 0.18% (8th percentile), but the unauthenticated attack path under a non-default configuration is the highest-severity scenario.
Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.
Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. No active exploitation has been confirmed in the CISA KEV catalog, but the attack surface is broad and the operational impact - forced session invalidation, potential database inconsistency from concurrent invocations, and cache destruction - constitutes a meaningful denial-of-service risk against production instances.
Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. No public exploit or CISA KEV listing has been identified at time of analysis, but the C:H confidentiality impact indicates potential for session token or credential harvesting from report consumers.
The OAuth2 HTTP filter in Envoy Proxy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 implements AES-256-CBC encryption for the PKCE CodeVerifier cookie without any authentication tag, creating a classic padding oracle through differential HTTP responses on the /callback endpoint. An attacker who obtains the victim's encrypted CodeVerifier cookie and a stolen authorization code can recover the plaintext PKCE code_verifier in approximately 6,200 crafted requests (~100 seconds), then complete the OAuth token exchange to hijack the victim's access token. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-confirmed patches are available in all four current release branches.
Registry credential leakage in regclient (Go OCI library) versions up to and including 0.11.4 exposes authentication secrets to attacker-controlled external servers via crafted OCI image manifests. When regclient fetches a blob layer and the primary registry request fails, it falls back to external URLs defined in the manifest's layer descriptor `urls` field; if the external server issues an HTTP authentication challenge, regclient forwards the original registry credentials to that host. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the attack mechanism is fully documented in the vendor advisory and the exploit path is straightforward for any attacker with registry control.
Credential exposure in Mattermost Plugins (all branches ≤11.6, fixed in 10.18.11, 11.3.6, and 11.6.5.0) leaks valid or partially reconstructable OpenAI API keys into mattermost.log when the OpenAI API returns authentication failure responses. Any user with privileged read access to server logs or downloadable support packets can recover the key and authenticate to the victim organization's OpenAI account. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Scope:Changed rating reflects that successful exploitation grants unauthorized access to an external, out-of-scope resource - the OpenAI account - with full confidentiality impact.
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
Envoy proxy's External Processing (ext_proc) filter crashes with a use-after-free when an ext_proc gRPC server sends a single batched gRPC message containing multiple specially crafted ProcessingResponse objects. Affected versions span 1.34.0 through pre-fix releases across four maintained branches; fixed releases are 1.35.13, 1.36.9, 1.37.5, and 1.38.3. With CVSS PR:L, exploitation requires control of or compromise of the ext_proc gRPC server endpoint, limiting the realistic attacker population but making this a high-priority patch for any deployment running ext_proc. No public exploit code and no CISA KEV listing exist at time of analysis.
Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. No public exploit or CISA KEV listing exists at time of analysis, but upstream fix commits are available from Canonical.
SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.
Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.
Unauthorized file read in Kestra's execution preview API allows any authenticated tenant user to access output files from executions they do not own, bypassing both execution-level and namespace-level isolation. Affected versions span the 1.0.x branch prior to 1.0.45 and the 1.3.x branch prior to 1.3.21. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and purely network-based exploitation path make this a meaningful risk in multi-tenant or shared Kestra deployments where execution output may contain sensitive pipeline data.
CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. No active exploitation (CISA KEV) or confirmed public exploit code has been identified at time of analysis; EPSS data was not provided in the input.
Unauthenticated IDOR in Payment Gateway Based Fees and Discounts for WooCommerce (versions up to and including 3.0.0) allows remote, unauthenticated attackers to manipulate payment gateway fee and discount object references, resulting in unauthorized modification of pricing logic and potential disruption of checkout availability. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction, making this trivially reachable on any exposed WooCommerce storefront running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated entry point lowers the barrier for opportunistic abuse.
Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.
Broken Access Control in the Affiliates Manager WordPress plugin (versions <= 2.9.49) allows an authenticated low-privilege user to perform unauthorized affiliate management actions, achieving high integrity impact due to missing authorization checks (CWE-862). The CVSS vector (PR:L, AV:N, AC:L) confirms exploitation is network-accessible with minimal complexity, requiring only a valid low-privilege account. No active exploitation has been identified at time of analysis, and no patched version has been independently confirmed from the available intelligence.
Cross-site scripting in the StatCounter WordPress plugin (versions up to and including 2.1.1) allows authenticated Contributor-level users to inject persistent malicious scripts into content that executes in the browser context of higher-privileged users who view that content. The CVSS scope change (S:C) indicates the payload can reach sessions beyond the attacker's own - most critically Administrator sessions - enabling session hijacking, credential theft, or unauthorized administrative actions such as creating backdoor accounts. No public exploit identified at time of analysis, and no confirmed active exploitation (no CISA KEV listing).
Stored Cross-Site Scripting in the Featured Image WordPress plugin (≤ 2.1) allows an authenticated Author-level user to inject malicious JavaScript via featured image metadata, which then executes in the browsers of other users - including administrators - who view the affected content. The Scope:Changed CVSS metric confirms the payload escapes the author's own session and can compromise higher-privileged accounts, making privilege escalation the primary real-world risk. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the BNE Testimonials WordPress plugin (versions 2.0.8 and below) allows an authenticated Contributor-level user to inject persistent malicious scripts into testimonial entries. When a privileged user such as an administrator views the affected content, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector underscores that impact extends beyond the contributing user's own session.
Cross-Site Request Forgery in FunnelKit Payment Gateway for Stripe WooCommerce plugin (versions up to and including 1.14.0.3) allows a remote unauthenticated attacker to perform unauthorized state-changing actions by tricking an authenticated WordPress user into interacting with a crafted request. The absence of proper CSRF token validation (CWE-352) means any action protected only by session authentication can be forged. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Server-side request forgery in the Mattermost Agents plugin MCP server (stdio mode) allows a low-privileged local attacker to make the server fetch arbitrary internal URLs submitted as file attachment references in post creation requests, enabling exfiltration of data from RFC 1918-addressed services on the internal network. Affected are Mattermost deployments running versions 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, and 11.6.x ≤ 11.6.3 with the Agents plugin's MCP server active in stdio mode. No public exploit code or CISA KEV listing is present in the available data; exploitation is constrained to attackers who already have local access to the stdio MCP interface.
Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthorized information disclosure in OpenProject before 17.4.0 allows any authenticated user to retrieve the subjects (titles) of work packages they have been explicitly denied access to, bypassing project-level visibility controls. The flaw exists in the GET /api/v3/relations REST API endpoint, where supplying arbitrary work package IDs to the involved, fromId, or toId filter parameters circumvents the Relation.visible scope due to a defective performance optimization in RelationQuery. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the attack is trivially executable by any platform user with valid credentials, making it a meaningful risk in deployments handling sensitive or confidential project data.
Cross-site scripting in the Ghost Kit WordPress plugin (versions ≤ 3.6.0) allows authenticated Contributor-level users to inject and store malicious JavaScript payloads via plugin block fields or parameters. When a higher-privileged user - such as an editor or administrator - views the affected content, the attacker's script executes in that user's browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No CISA KEV listing or public exploit has been identified at time of analysis; however, the CVSS scope-change indicator (S:C) reflects meaningful cross-user impact that can translate to full site compromise if an admin session is hijacked.
Stored Cross-Site Scripting in the Magazine Blocks WordPress plugin (versions ≤ 1.8.3) allows authenticated contributors to inject persistent malicious JavaScript into page content. Because the vulnerability carries a scope change (S:C in CVSS), successful exploitation targets the browsers of higher-privileged users - typically editors or administrators - who view the affected content. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Real Estate 7 WordPress theme (versions <= 3.5.9) enables unauthenticated remote attackers to forge destructive HTTP requests on behalf of authenticated users, with the CVSS vector indicating high availability impact - consistent with forced deletion of property listings or site content rather than data exposure or modification. Exploitation requires luring an authenticated WordPress session holder to a malicious page, making it a social-engineering-dependent attack. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Stored cross-site scripting in the Fluent Booking WordPress plugin (versions up to and including 2.1.0) enables authenticated contributors to inject arbitrary JavaScript into booking-related content that executes in the browser of any higher-privileged user who reviews or views that content. The CVSS Scope:Changed metric confirms the payload escapes the contributor's low-privilege context and compromises the browser session of editors or administrators, enabling session hijacking or unauthorized privileged actions. No public exploit code or CISA KEV listing exists at time of analysis, but the vulnerability was confirmed and disclosed by Patchstack.
Cross-site scripting in the Neve PRO WordPress theme addon (versions up to and including 3.1.2) allows a contributor-level authenticated user to inject persistent malicious JavaScript that executes in the browser context of other users, including administrators. The S:C scope change in the CVSS vector confirms the payload escapes the WordPress application boundary and executes in the victim's browser session, enabling session hijacking, credential theft, or admin-level privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the medium-priority tier despite the scope-changed impact.
Stored Cross-Site Scripting in SeedProd Pro WordPress plugin (versions below 6.19.5) allows an authenticated Contributor-level user to inject malicious JavaScript that executes in the context of other users' browsers, including administrators. The changed scope (S:C) in the CVSS vector confirms the impact crosses from the plugin's trust boundary into victims' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but patch availability is confirmed by the vendor via Patchstack.
Broken access control in the GIFT4U WordPress plugin (versions ≤ 1.0.10) exposes unauthenticated endpoints that allow remote attackers to perform unauthorized operations against WooCommerce gift card functionality. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials, no user interaction, and no special configuration beyond plugin installation. Reported by Patchstack (audit@patchstack.com) and cataloged under EUVD-2026-39736, this is no public exploit identified at time of analysis, but the trivial exploitation conditions lower the practical bar for abuse.
Sensitive data exposure in the Site Reviews WordPress plugin (versions through 8.0.11) allows authenticated users holding at minimum a subscriber-level account to access private or sensitive review-related data they should not be permitted to view, resulting in high confidentiality impact. The CVSS vector (PR:L, AV:N, AC:L) confirms the flaw is network-exploitable at low complexity with no user interaction required beyond possessing a basic WordPress account. No public exploit code or active exploitation has been identified at time of analysis, though the low barrier to exploitation (any registered user) elevates practical risk.
Sensitive data exposure in GetGenie WordPress plugin (versions through 4.4.2) permits authenticated subscribers to access data outside their authorization scope. The vulnerability, classified under CWE-497, enables low-privilege WordPress users - those with subscriber-level accounts - to retrieve sensitive information that should be restricted to higher-privilege roles. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, but the low attack complexity and broad user-privilege threshold make this a realistic risk on any multi-user WordPress deployment running an affected version.
Stored Cross-Site Scripting in SureCart WordPress plugin versions up to and including 4.2.2 allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The 'Subscriber' designation in the CVE title confirms exploitation requires only a low-privilege WordPress account, lowering the barrier to attack significantly for sites with open registration. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Stored Cross-Site Scripting in ListingPro WordPress theme versions 2.9.11 and below allows authenticated subscriber-level users to inject malicious JavaScript that executes in the browsers of other users who view the affected page. The CVSS scope change (S:C) confirms the injected payload breaks out of the application's security boundary and runs in the victim's browser context, enabling session hijacking or unauthorized actions on behalf of higher-privileged users. No public exploit code or active exploitation has been identified at time of analysis.
Broken access control in the WordPress User Registration plugin (versions <= 5.2.2) allows unauthenticated remote attackers to bypass authorization checks and access or manipulate functionality restricted to privileged users. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting network-accessible exploitation with no credentials or user interaction required. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and zero-authentication requirement make this straightforward to exploit opportunistically.
Stored Cross-Site Scripting in the Image Carousel WordPress plugin (versions <= 1.0.0.41) allows authenticated contributors to inject persistent malicious JavaScript into carousel elements. When a higher-privileged user such as an administrator views the affected content, the injected script executes in their browser context, enabling session hijacking or unauthorized administrative actions. No active exploitation or public exploit code has been identified at time of analysis, and the attack is bounded by the requirement for contributor-level access and victim interaction.
Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. No public exploit code or CISA KEV listing is identified at time of analysis, but Patchstack has disclosed the vulnerability publicly.
Denial of service in Apache Kerby allows remote attackers to crash a Kerby client or service by delivering a deeply nested ASN1 structure that exhausts JVM stack depth and triggers an unhandled StackOverflowException. All versions prior to 2.1.2 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack primitive (malformed Kerberos ASN1 message) requires no authentication and is trivially constructible, making this a realistic operational risk for any internet- or network-exposed Kerby deployment.
Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubevirt.io:edit permissions to establish arbitrary bidirectional TCP tunnels from virt-api's trusted cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. The vulnerability arises because virt-api reads the target IP from vmi.Status.Interfaces[0].IP - a value supplied by the QEMU guest agent inside the VM and thus fully controllable by the VM owner when non-masquerade network bindings (bridge or secondary-only) are in use - and passes it directly to net.Dial() without validation. No public exploit or active exploitation has been identified at time of analysis; EPSS data was not available in the provided intelligence.
Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's `:data` wildcard for `<macro>` elements permits injection of `data-controller` attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through `renderStreamMessage()` to achieve cross-user session manipulation without victim interaction beyond viewing the work package. Patch-confirmed by vendor GitHub Security Advisory GHSA-q33w-f822-hg8x; no public exploit identified at time of analysis.
Server-Side Request Forgery in the utm.codes WordPress plugin (versions ≤ 1.9.0) enables authenticated subscribers to induce the web server to issue arbitrary outbound HTTP requests, with the vulnerability scope extending beyond the plugin itself to potentially reachable internal network resources. The CVSS Scope:Changed rating reflects that a successful exploit can pivot the server's network identity to probe internal services, cloud metadata endpoints, or intranet hosts inaccessible to the attacker directly. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the low attack complexity and subscriber-level privilege bar make this exploitable by any registered WordPress user on affected installations.
Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.
CSV formula injection in Statamic CMS allows an unauthenticated front-end visitor to plant spreadsheet formula payloads via public form submissions that execute when a Control Panel editor exports and opens those submissions in a spreadsheet application. Affected versions span the entire v5 branch below 5.73.24 and v6 branch from 6.0.0 below 6.20.1; vendor-released patches exist for both. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack structure is well-understood and requires no specialized tooling given the unauthenticated submission vector.
Use-after-free in Envoy's HTTP OAuth2 filter (envoy.filters.http.oauth2) across versions 1.37.0-1.37.4 and 1.38.0-1.38.2 enables unauthenticated remote attackers to crash Envoy worker threads by racing a connection teardown against an in-flight async token exchange. When a downstream client disconnects while the filter is awaiting an async OAuth2 token response, the late AsyncClient callback invokes StreamDecoderFilterCallbacks on an already-freed object, producing undefined behavior and worker crashes. The reporter explicitly disclaims RCE - confirmed impact is availability loss (DoS); allocator-dependent memory corruption effects beyond crash are theoretically possible but not demonstrated. No public exploit or CISA KEV listing identified at time of analysis.
Use-After-Free crash in Envoy's ext_authz HTTP filter allows remote unauthenticated attackers to trigger a segmentation fault and process crash by rapidly establishing and tearing down downstream connections when per-route authorization overrides are configured. Affected are Envoy versions 1.36.0-1.36.8, 1.37.0-1.37.4, and 1.38.0-1.38.2. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the race condition exploitability is constrained by requiring specific ext_authz per-route override configuration.
Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.
Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while `nx graph` is running locally. The server unconditionally broadcasts `Access-Control-Allow-Origin: *`, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. In rare cases, the `/help` endpoint - which executes a workspace-configured target command - creates a path to arbitrary command injection on the developer's machine. No public exploit or CISA KEV listing identified at time of analysis.
Stored/reflected Cross-Site Scripting in the Hester Core WordPress plugin (versions ≤ 1.1.8) allows a high-privileged authenticated user to inject malicious JavaScript into author-related fields, which then executes in victims' browsers when they view affected content. The CVSS scope change (S:C) confirms the injected script escapes the originating context and impacts other users' sessions, potentially enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, limiting immediate widespread risk despite the cross-user impact.