The WP Bulk Delete plugin for WordPress, developed by Xylus Themes, contains a stored cross-site scripting vulnerability identified as CVE-2024-47352. This vulnerability is due to improper input neutralization during web page generation, enabling attackers to inject persistent malicious scripts. It affects all versions through 1.3.1. The CVSS v3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No vendor advisory or patch links are currently available, and the plugin is not a cloud service.

Successful exploitation of this stored XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of affected users' browsers. This may lead to partial disclosure of sensitive information, modification of data, or disruption of availability related to the plugin's functionality. The CVSS score of 7.1 reflects these impacts. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting use of the WP Bulk Delete plugin to trusted users only and avoid exposing it to untrusted input. Monitor the vendor's channels for updates and apply patches promptly once available.