The vulnerability is an improper neutralization of input during web page generation, specifically a Stored Cross‑Site Scripting (XSS) flaw. Attackers can inject malicious scripts that are later rendered by browsers when the affected plugin displays the data. The compromised scripts run with the privileges of the site, potentially stealing session cookies, defacing content, or redirecting users. The weakness corresponds to CWE‑79.

The issue affects the Urdu Formatter – Shamil plugin developed by M Bilal M for WordPress. Any installation of the plugin at version 0.1 or earlier is impacted. No specific WordPress core version is listed; the plugin is compatible with WordPress installations that include the Urdu Formatter – Shamil.

The CVSS base score of 6.5 classifies the flaw as moderate but still notable. The EPSS score is less than 1 %, indicating that while the vendor is aware, the threat is considered low probability at present. The flaw is not in the CISA KEV catalog. Attacking typically requires exploiting a site that accepts and stores user‑supplied data via the plugin. An attacker would need to register or supply figure to be persisted, then later trick a victim to view the stored content. If the site has an unrestricted context for script execution, the injected code can run in the victim’s browser, giving the attacker whatever privileges the victim holds on the site.