The Community by PeepSo WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. When Markdown support is enabled, URLs in user-generated content such as posts, comments, and profiles are not properly sanitized or escaped, enabling authenticated users with at least Subscriber privileges to inject arbitrary JavaScript. This malicious code executes in the context of other users viewing the affected pages, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to 6.4.6.1. The CVSS 3.1 base score is 5.4, reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and partial confidentiality and integrity impact without availability impact. No patch or official fix information is currently available.

An authenticated attacker with Subscriber-level access or higher can inject persistent malicious scripts into posts, comments, or user profiles when Markdown is enabled. These scripts execute in the browsers of users who view the infected content, potentially compromising user sessions or performing unauthorized actions within the affected site context. The impact is limited to confidentiality and integrity with no direct availability impact. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling Markdown support in the plugin to prevent exploitation. Additionally, restrict user roles and permissions to minimize the risk of malicious content injection. Monitor plugin updates from PeepSo for an official patch addressing this vulnerability.