The vulnerability is an Improper Neutralization of Input during Web Page Generation (CWE‑79). Stored XSS allows an attacker to inject malicious JavaScript that is persisted by the AddFunc Mobile Detect plugin and subsequently executed in the browsers of any user who views the affected content. This could lead to cookie theft, session hijacking, defacement, or the execution of arbitrary client‑side code. The impact is on confidentiality, integrity, and user experience for all visitors to the site. The likely attack vector is through any input field that the plugin accepts and stores, but the description does not explicitly provide details, so this is inferred.

The AddFunc Mobile Detect plugin for WordPress, released by Joe Rhoney, is affected in all versions from the earliest to 3.1 inclusive. No specific patch version is provided in the data.

The CVSS score of 6.5 indicates a moderate severity level. The EPSS score of less than 1 % suggests a very low exploitation probability at this time, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw is a stored XSS, an attacker would typically need to inject content that the plugin stores and displays; the exploit would therefore require the attacker to submit malicious input via the plugin’s interface. No high‑level prerequisites beyond normal plugin usage are described, so the risk remains moderate but with low likelihood of immediate exploitation.