A high-severity vulnerability has been identified in the "Footnotes Made Easy" plugin for WordPress, affecting all versions up to and including version 3. This flaw allows an attacker to inject malicious code into the website, which can lead to the theft of sensitive user and administrator data, website defacement, or redirection of visitors to malicious sites. Organizations using this plugin are at risk of account takeovers and reputational damage.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An authenticated attacker with permissions to access the plugin's settings can inject malicious JavaScript code into one of the configuration fields. Because the input is not properly sanitized, this malicious code is saved to the website's database and is executed in the browser of any user who views the plugin's output or any administrator who accesses the vulnerable settings page, potentially leading to session cookie theft, account takeover, or further attacks.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant negative business impacts, including the compromise of administrator accounts, which would give an attacker full control over the affected WordPress site. This could result in unauthorized content modification, theft of customer or user data, reputational damage, and a loss of trust from visitors and customers. The website could also be used to launch further attacks against its visitors, creating legal and financial liabilities for the organization.

Immediate Action: Immediately update the "Footnotes Made Easy" plugin to the latest patched version (greater than version 3) as recommended by the vendor. If the plugin is not essential for business operations, consider deactivating and uninstalling it to completely remove the attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious POST requests to the plugin's settings pages, specifically looking for HTML tags like <script> or JavaScript event handlers (e.g., onload, onerror). Regularly scan the website for unauthorized code injections or unexpected changes in front-end behavior.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with strict XSS filtering rules to block malicious payloads. Additionally, restrict access to the WordPress administrative dashboard to trusted IP addresses and enforce the principle of least privilege for all user roles to limit the number of accounts that could exploit the vulnerability.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this Stored XSS vulnerability, immediate action is strongly recommended. Organizations should prioritize applying the vendor-supplied patch to all affected WordPress instances. Although this CVE is not currently listed on the CISA KEV catalog, the risk of administrator account compromise warrants treating this remediation with urgency to prevent potential website takeover and data breaches.