Stored (or persistent) XSS differs from reflected XSS in one crucial way: the malicious payload is saved to the database and served to every user who visits the affected page — not just the person who submitted it.

While reflected XSS requires tricking a victim into clicking a crafted URL, stored XSS silently lurks in the application's own data store, ready to execute in any browser that renders the page. Admins viewing a comment section are prime targets.