The vulnerability allows an attacker to forge a request that causes the Prayer Times Anywhere plugin to store malicious script code, which is then executed whenever a user views a page containing the stored payload. This stored XSS can compromise confidentiality, integrity, or availability of the affected WordPress site, including theft of user credentials and potential full site takeover. The weakness is a Cross‑Site Request Forgery that introduces an XSS payload, as identified by CWE‑352.

Any WordPress installation that has the Prayer Times Anywhere plugin by mmrs151 installed at a version of 2.0.1 or earlier. The plugin is affected from the first released version through cumulative release 2.0.1. Administrators or users with sufficient privileges to trigger the plugin’s input handling would be impacted.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a malicious site or link that, when visited by a user with an existing authenticated session to the vulnerable WordPress site, sends a forged request that stores the attacker’s script. The description does not specify additional requirements, so the attack is inferred to be achievable from any authenticated session to the site.