The AIOS plugin suffers from a stored XSS vulnerability due to improper neutralization of input in the get_rest_route() function and lack of output escaping in the column_default() method of the debug log list table. Specifically, when 'Disable REST API for non-logged in users' and debug logging are enabled, an attacker can send a REST request with a URL-encoded payload that is decoded and stored unsanitized in the debug logs. The debug log page then outputs this raw data without escaping, causing JavaScript execution in the administrator's session. This vulnerability allows an unauthenticated attacker to execute arbitrary scripts in the admin context, risking nonce theft, privileged AJAX/REST actions, and potential full site compromise.

An unauthenticated attacker can inject and store malicious JavaScript in the plugin's debug logs, which executes when an administrator views the debug log page. This can lead to theft of security tokens (nonces), execution of privileged AJAX or REST actions, and potentially full compromise of the WordPress site. The CVSS 3.1 base score is 7.2 (high severity), reflecting network attack vector, no privileges required, no user interaction, and impact on confidentiality and integrity with scope change.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider disabling the 'Disable REST API for non-logged in users' feature or debug logging to prevent exploitation. Avoid viewing the AIOS Dashboard Debug Logs page if these features are enabled and untrusted REST requests are possible. Monitor vendor channels for an official patch or update addressing this vulnerability.